My boss wants to not hash any of the user passwords. He wants to be able to view all the passwords and resend the forgotten ones.
Is this a good practice?
Also - how can I turn off the password hashing in CakePHP 1.3 Auth?
Asked
Active
Viewed 161 times
1
-
7Doing the stupid tasks your boss asks you to? Yes, it's normally good practice if you want to keep the job. – Álvaro González Apr 09 '13 at 09:53
-
2It's a very bad idea, not to mention that it may be illegal in some jurisdictions. Resending the passwords by email is also _very_ insecure. – Aleks G Apr 09 '13 at 09:54
-
the best way to know all the user password.. :) – Bobby Stenly Apr 09 '13 at 09:54
-
what website do you run ? – NimChimpsky Apr 09 '13 at 09:54
-
2@ÁlvaroG.Vicario A better thing though is to convince your boss that it's not a very good idea - and do this in such a way as to make him think that he himself realised it. – Aleks G Apr 09 '13 at 09:55
-
so how about you help me and tell me why is it a bad idea? this is why I asked about this... – user2192677 Apr 09 '13 at 09:56
-
why is it a bad idea fo ryou to know everyone's password ? Thats not an IT question, its common sense. Please tell us your website so I can void it. – NimChimpsky Apr 09 '13 at 09:57
-
1I can kinda understand the "resend forgotten passwords", but why does he want to see all the passwords? You could just make him an admin account that has access to everything in the system. – JJJ Apr 09 '13 at 09:57
-
what should I tell him? – user2192677 Apr 09 '13 at 09:57
-
4You might get better or more answers over at security.se. – Christopher Creutzig Apr 09 '13 at 10:08
2 Answers
2
Don't store plain text passwords anywhere. If there is any form of security breach the passwords that your user probably uses elsewhere will be easiliy accesuible. You should encrypt and add a salt, or hash.
Your boss wants to know everyones password, I couldn't care less : my password is secret. Why not post their password up here and see how he/she likes unknown people knowing their secret password.
Don't resend forgotten passwords, send out a link where you can change password.
This is basic security 101.
Community
- 1
- 1
NimChimpsky
- 46,453
- 60
- 198
- 311
1
Of course not, this is the very bad practices. if some one forget his password, the password should be reset. And the application should have the ability to do so. ability to retrieve password is a big risk and no one can have responsibility of his password.
aymankoo
- 653
- 6
- 12
-
1
-
-
1Because lots of users will use the same password for different services. Stupid, I know. Then, when (not if) some bad guy gets hold of your database with all the passwords in clear text, they can impose as your users on lots of other web sites and services. Probably even including their mail and bank accounts. – Christopher Creutzig Apr 09 '13 at 10:10