 |
Will Implement (V4) Feature requests in this forum will be implemented in Version 4 of the product line (the current version).
 |
| | LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
| ||||||||||||
|
|
| | LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
(#46)
  |
| Member  Posts: 1,307 Join Date: Apr 2007 Location: Toronto Canada |
03-12-2007, 07:01 PM
Why not just have it remember the email and not password. That way you can encrypt the password and not worry about any of this. If clients complain then you can let them know that its part of a security measure and is for their own good. |
| |  |
|
(#47)
|
| New Member Posts: 2 Join Date: Feb 2008 |  Clear text password risk reduction -
16-02-2008, 12:12 AM
For those still concerned about the password being stored in the database in clear text, there is a solution that reduces the risk dramatically of having the passwords stored in the clear text field. The solution involves creating a cron job that changes the field the clear text password is stored in every x seconds/minutes. Our system changes the field every minute as we think that is sufficient time. Even on large user databases this is fast and does not greatly impact performance. There are several caveats to doing this: 1. Users will not be able to retrieve what their current password is (they will have to call or otherwise contact the system admin or support staff to have it manually reset) 2. The Kayako system uses the clear text password field in the recovery email that is sent to the individual's and so whatever you replace in the field will appear in the email. We use a phrase as our replacement text to notify users the step they need to take to get their password reset (you only have 50 characters by default). 3. When the sys admin or support personnel change the users password, it is again available in the database in the clear text field until the cron runs again. However the risk exposure is reduced dramatically in our case to 1 minute. 4. If a user wants to change their password they won't be able to because the Kayako system uses the clear text password field for validation of the old password during the password change process. There are some additional things that would need to be done to fix this and we have made those modifications to our system. Again, with all the proper changes this issue can be greatly reduced from a risk perspective until or if there is ever any action taken to change this process from the developers side of things. My recommendation would be for a random password to be generated and sent to the user when a recovery is attempted. |
| | |
|
| Tags |
| >, encryption, hashing, password |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Misc / General Autosave feature | mblendinger | Will Implement (V4) | 8 | 19-08-2008 10:45 PM |
| UNKNOWN Live chat -> System -> Record operator online hours | urevised | Feature Requests | 10 | 01-03-2008 02:25 PM |
| UNKNOWN System -> Downloads/Attachments -> Must be stored seperately | NC Software | Feature Requests | 2 | 10-11-2006 10:43 PM |
Linear Mode
