You store customer passwords in cleartext in the database for your main website. This is a serious security issue. You should be storing salted password hashes in the database to prevent hackers bruteforcing the password in the case of a database breach.
I have checked and your website is based on php so please implement the below or I will have to take this further. I do not wish to name and shame your company.
our website is Joomla based so it is using Joomla password mechanism for hashing and salting the password. I don't know how did you get an impression that we are storing passwords in clear text in the DB. Joomla by default is not working that way for ages.
So, your suggestion is ok, but Joomla is doing that and even more for a long time now
I work for a very well known Security Consultancy in the UK as an Ethical Hacker. I know what I'm talking about and when I received an email from Unite CMS with my password in it I was thinking what the hell.
If passwords are being hashed this would be impossible as a hash is a one way algorithm. Would you like proof? I can screenshot the email for you.
I believe you what you are saying but you might not be aware how Joomla works by default. Passwords are stored hashed and salted in the DB. You did receive an email with the password in the clean text but this happens only during the registration. At that point, an email as a reminder to the member is sent in clear text for their info. After that, there is no way to retrieve a password in a clear text from the DB
I purchased Revolution Slider years ago and just updated my subscription.
I received an email with my clear text password in from you.
I work as an Ethical Hacker for a well known Security Consultancy. Please hash and salt customer passwords before saving them in the database
If your website is hacked it will be very embarrassing for your company.
HI,
thank you for the issue report. I will forward it to our developers to take a look and act on it
Regards,
Igor
You store customer passwords in cleartext in the database for your main website. This is a serious security issue. You should be storing salted password hashes in the database to prevent hackers bruteforcing the password in the case of a database breach.
I have checked and your website is based on php so please implement the below or I will have to take this further. I do not wish to name and shame your company.
http://php.net/manual/en/function.password-hash.php
Hi,
our website is Joomla based so it is using Joomla password mechanism for hashing and salting the password. I don't know how did you get an impression that we are storing passwords in clear text in the DB. Joomla by default is not working that way for ages.
So, your suggestion is ok, but Joomla is doing that and even more for a long time now
Regards,
Igor
I work for a very well known Security Consultancy in the UK as an Ethical Hacker. I know what I'm talking about and when I received an email from Unite CMS with my password in it I was thinking what the hell.
If passwords are being hashed this would be impossible as a hash is a one way algorithm. Would you like proof? I can screenshot the email for you.
Hi,
I believe you what you are saying but you might not be aware how Joomla works by default. Passwords are stored hashed and salted in the DB. You did receive an email with the password in the clean text but this happens only during the registration. At that point, an email as a reminder to the member is sent in clear text for their info. After that, there is no way to retrieve a password in a clear text from the DB
Regards,
Igor