eSupport stores user passwords as plain text

[MarcG]

Hi,
looking through the eSupport php files I just found the function changeUserPassword. Taking a closer look at it I have seen, that the password seemed to be stored as plain text.
Our System is still not productive and in a testing stage, so the user passwords have not been changed from the raqndom ones given from the system. so looking at the DB did not offer something to be suspicious till now. Just to be sure I took a password from there and made a md5 hash from it. And yes, it is the password in plain text that is stored there in the db. Alongside with the md5 hashed password.

As a user I personally hate it when I get sent my password after i forgot it. This means the store it either plain text or in a reversible way. The password should be stored irreversibly and asking for my forgotten password should give me a new random password asking me to change it afterwards.
The same here. Why is the password stored in plain text in the DB? I see no need for this at all and from securitys point of view this is something that should not happen at all.
Furthermore the password is stored only as a... plain md5 hash. Nowadays this is not so much better than storing it plain text. Using rainbow tables also plain hashes are not so irreversible as they should be.
Using a hash with salt should be standard for storing passwords, in my opinion.

Is there a reason why eSupport stores the plain text passwords?


EDIT:
Anyway, having the plain text passwords stored in the db would make it easy to update it to a better way of storing them in a next version

[Jamie Edwards]

Hi Marc,

This has been discussed in detail in this thread: http://forums.kayako.com/f120/system...?highlight=md5