Download & Extend
SMTP Authentication Support » Issues

Password field is insecure

Posted by ouzo on February 9, 2007 at 9:31am
Project:SMTP Authentication Support
Version:6.x-1.x-dev
Component:User interface
Category:feature request
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

It woud be nice if the smtp-password-field use the html input type="password" and stores the password in the database encrypted.

Login or register to post comments

Comments

#1

Posted by dsp1 on March 14, 2007 at 12:13pm

i agree.

#2

Posted by baloneysammitch on March 19, 2007 at 2:07pm

Thirded.

#3

Posted by LukeLast on March 20, 2007 at 6:41am

I could maybe settle for a hide password check box.

#4

Posted by mishhh on April 1, 2007 at 10:10am

Second that

#5

Posted by smk-ka on April 3, 2007 at 3:18pm

What would be gained from an encrypted password? If I already have access to the database, I can easily retrieve the salt used and decrypt the password. Changing the field type sounds ok, though.

#6

Posted by dirkjot on September 10, 2008 at 1:51pm

This is a discussion which has been entertained endlessly for other applications. Basically, encrypting the password only prevents that an admin will accidentally learn your password. So you can argue encryption gives a false sense of security.

However, Drupal stores user passwords encrypted (in the 'pass' field of the 'user' table). So IMHO, smtp should follow that example and use encryption for the password and an appropriate html form element.

#7

Posted by Rob Loach on September 23, 2008 at 7:32pm

Yup.

#8

Posted by kylehase on November 21, 2008 at 1:36am

Drupal uses a one-way hash on its password field. This is fine because it can simply hash passwords from the login form and match it against the stored hash. There is no reason Drupal needs to know the user's plain text password.

However, the SMTP password is used by Drupal to authenticate with a third party (SMTP server) so if you want to encrypt it you'd need to use a reversible encryption (mcrypt etc) to decrypt it before use. Since the decryption keys would have to be available to Drupal, anyone who has access to the Drupal files and database would also be able to decrypt the encrypted passwords. In other words, this would only add protection from people who have access to the database but do not have access to the Drupal files. Also, true reversible encryption requires PHP extensions which may not be installed on many hosts.

#9

Posted by sun on November 21, 2008 at 9:00am
Assigned to:ouzo» Anonymous

Yes, the difference to user passwords is that typed in user passwords are also hashed before validation against the stored password. To be future-proof, SMTP module must not store the configured authentication credentials, so they can be encrypted/hashed on demand for SMTP servers that only support certain AUTH methods.

Additionally, site builders should be able to easily place SMTP credentials into settings.php.

#10

Posted by jeffschuler on June 15, 2009 at 3:08am

Sounds like there are two separate issues here:

  • that a password form field should be used on the admin page to prevent over-the-shoulder reading of the password.
  • that the password is stored in the database in plain-text

The second doesn't block the first, does it?
Is there anything wrong with the simple change in the patch attached? It just makes the password field a real password field...

(If "false sense of security" is an issue, maybe a warning can be provided...)

AttachmentSize
smtp_117450_hide_password.patch 629 bytes

#11

Posted by jeffschuler on June 15, 2009 at 3:07am
Version:5.x-1.x-dev» 6.x-1.x-dev
Status:active» needs review

#12

Posted by Rob Loach on June 15, 2009 at 3:44pm
Status:needs review» reviewed & tested by the community

This is good enough for now. Great work!

#13

Posted by mcrittenden on October 6, 2009 at 5:51pm
Title:smtp password Field» Password field is insecure

#14

Posted by k74 on October 7, 2009 at 5:19pm

To be included in the next version?

#15

Posted by pobster on December 19, 2009 at 11:21pm

I would settle for a separate permission for this module.

http://drupal.org/node/426010#comment-1520896

Pobster

#16

Posted by franz on December 30, 2009 at 1:18am
Status:reviewed & tested by the community» fixed

Nice discussion, good points, simple patch.

Commited =)

#17

Posted by System Message on January 13, 2010 at 1:50am
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nobody click here