 |
Will Implement (V4) Feature requests in this forum will be implemented in Version 4 of the product line (the current version).
 |
| | LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
| ||||||||||||
|
|
| | LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
(#1)
  |
| Member  Posts: 527 Join Date: Dec 2005 Location: Sitting |  System -> Password encryption or hashing -
03-08-2007, 08:59 PM
Why are passwords not encrypted or hashed in the database? Passwords should NEVER be human readable, anywhere! |
| |  |
|
(#2)
|
| Operations Manager  Posts: 5,560 Join Date: Jan 2006 Location: United Kingdom |
03-08-2007, 09:21 PM
In order for clients to receive their ticket password each time they submit a ticket, the passwords cannot be hashed. The only way for this to happen would be to randomise the password every time they submitted a ticket - which would annoy a lot of them, I'd imagine. -------------------------------------------------------------------
|
| | |
|
(#3)
|
| Member Posts: 527 Join Date: Dec 2005 Location: Sitting |
03-08-2007, 09:30 PM
Passwords should therefore be ENCRYPTED which can be reversed out to clear for your e-mail situation. However, passwords should NEVER be stored in the clear and we have the option whether to include passwords in e-mails. For companies that want full lock down security they won't allow passwords in their e-mail and certainly don't want passwords stored in plain text anywhere, including a database. This is a major security issue that needs to be addressed with highest priority! I came across this when I was resolving my IMAP issue and I did a SELECT * on the database to get all the mail queue's to find the passwords to my e-mail accounts stored in the clear as well. Another major security issue as a sysadmin may be the only one that knows passwords to mailboxes but anyone with access to MySQL and the database can now view them! It's more than just user information, it's a major security issue across the board! |
| | |
|
(#4)
|
| Operations Manager Posts: 5,560 Join Date: Jan 2006 Location: United Kingdom |
03-08-2007, 09:44 PM
Quote:
Of course, we could keep the code that does some form of encryption under the encrypted portion of SupportSuite, but again this is still not extremely secure. If a hacker is determined enough to hack your server, retrieve a copy of your database in order to access the client passwords, the likelihood is that he or she will be determined enough to reverse-engineer the algorithm. Quote:
Quote:
Quote:
-------------------------------------------------------------------
| ||||
| | |
|
(#5)
|
| Operations Manager Posts: 5,560 Join Date: Jan 2006 Location: United Kingdom |
03-08-2007, 09:45 PM
Regardless of what I posted above, it is a good feature request that the option to use a "not entirely secure" encryption method for passwords be available.ave moved this thread into the Feature Requests forum. -------------------------------------------------------------------
|
| | |
|
(#6)
|
| Member Posts: 527 Join Date: Dec 2005 Location: Sitting |
06-08-2007, 03:53 PM
Passwords should never be sent in an e-mail, it should not be an option, but we do have the option to disable it. Passwords should NEVER be stored in plain text, EVER! Take not from vBulletin, they hash their information, if you have to reverse it out, encrypt it. Use SALT's as well for added security so dictionary attacks are mitigated. Again, do what vBulletin does, if you forget your password, it sends you a reminder question or simply changes it for you, when you login using the temp password you have to change it. There are ways to handle this, I adamately disagree with the lack of security I am finding with Kayako SupportSuite. |
| | |
|
(#7)
|
| Operations Manager Posts: 5,560 Join Date: Jan 2006 Location: United Kingdom |
06-08-2007, 06:58 PM
Hi Neal, This may be what you want, but the way SupportSuite has worked (for years - since the beginning) is that ticket passwords are sent out to customers in each ticket receipt. The majority of our customers do not disable this feature. We cannot implement password hashing and have the option to either hash passwords or not. Resetting the password in each ticket submission will also be a major inconvenience to users of a support desk. Your comparison between a forum software and SupportSuite is entirely misplaced. -------------------------------------------------------------------
|
| | |
|
(#8)
|
| Chief Operating Officer  Posts: 857 Join Date: May 2005 Location: Boise, Idaho |
06-08-2007, 08:07 PM
Quote:
However, storing the passwords in the db with some form of two-way encryption isn't particularly viable. The reason is that the key(s) would be easily retrieved (where would you store them?) so even if it was encrypted, an attacker would only need to know the algorithm and the key and then it would be equivalent of having plain text passwords. Just my two cents. -------------------------------------------------------------------
| |
| | |
|
(#9)
|
| Chief Operating Officer Posts: 857 Join Date: May 2005 Location: Boise, Idaho |
06-08-2007, 08:12 PM
In addition, I feel that it's necessary to address the whole idea of encrypting passwords in the db. If your db is compromised you have much bigger problems on your hands than someone having access to the passwords. What I mean is, if an attacker has your db, he already has access to *all the information* that you would be worried about them accessing with the password (e.g. ticket posts, notes, etc) -------------------------------------------------------------------
|
| | |
|
(#10)
|
| Member Posts: 527 Join Date: Dec 2005 Location: Sitting |
06-08-2007, 08:36 PM
Quote:
| |
| | |
|
(#11)
|
| Member  Posts: 122 Join Date: May 2006 |
07-08-2007, 05:04 AM
I will agree this has me a bit distressed..... |
| | |
|
(#12)
|
| Member Posts: 152 Join Date: Jun 2003 Location: Sydney, Australia |
07-08-2007, 10:07 AM
Quote:
Essentially a custom encryption/decryption routine included within the encrypted part of SupportSuite. It could further be enhanced by the following:
Should work fairly well. | |
| | |
|
(#13)
|
| Member Posts: 99 Join Date: Jul 2006 |
07-08-2007, 10:11 AM
We've got this featured disabled. It is very odd Kayako has chosen to not protect customer passwords in their software design. I do not know another software or online site that does this. Usually if customers forget password, they click on a link that allows them to either retrieve their password by answering a secret question or generate a new password. |
| | |
|
(#14)
|
| Senior Member Posts: 5,936 Join Date: Jun 2005 Location: Cumbria, UK |
07-08-2007, 10:31 AM
Quote:
Icon Headquarters - Its Elixir - Web2Messenger | |
| | |
|
(#15)
|
| Operations Manager Posts: 5,560 Join Date: Jan 2006 Location: United Kingdom |
07-08-2007, 12:52 PM
Quote:
@Craig; that is true, you are legally responsible for this kind of thing; but this security requirement should be focused around your own server hardening. If passwords are to be encrypted, then why not everything in the database? @Caitlyn; the reason why eSupport has not operated like 'most other software' in this respect is because the typical setup of eSupport (or the other lines) involved ticket submission via e-mail, which generated a password for the client in the ticket receipt. However, times that change require us to change to, so it is something that will certainly be reviewed. -------------------------------------------------------------------
| |
| | |
|
| Tags |
| >, encryption, hashing, password |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Misc / General Autosave feature | mblendinger | Will Implement (V4) | 8 | 19-08-2008 11:45 PM |
| UNKNOWN Live chat -> System -> Record operator online hours | urevised | Feature Requests | 10 | 01-03-2008 03:25 PM |
| UNKNOWN System -> Downloads/Attachments -> Must be stored seperately | NC Software | Feature Requests | 2 | 10-11-2006 11:43 PM |
Linear Mode
