Home » Download » Modules » Cpanel Integration » Issues

create email accounts with same password as drupal account?

bluecobalt - May 31, 2006 - 02:52
Project:Cpanel Integration
Version:4.7.x-1.x-dev
Component:Code
Category:feature request
Priority:critical
Assigned:yecarrillo
Status:by design
Description

Hi,

Would it be possible to have the cpanel integration module create email accounts with the same password as the user's drupal account, rather than using their username as the password? This would be more secure for the users.

I know that they can change the password once they login to their email, but I would prefer to not have them go through that extra step. If anyone forgets to change their password, their email could be easily compromised by another user.

thanks,
blue

» Login or register to post comments

#1

desm0n - May 31, 2006 - 07:41
Priority:normal» critical

I couldn't agree more to this. Having the password set as the username is just opening up trouble to spammers.

I think this is a critical update and needs to be addressed as word will get out quickly how easy it is to use a members email account.

Login or register to post comments

#2

yecarrillo - June 5, 2006 - 03:52
Assigned to:Anonymous» yecarrillo
Status:active» by design

Assign the username as password is not an intentional security hole.

Creation of accounts is done in two cases:

  • When a "new" user is added to the database (hook_user, $type='insert'). Accounts created at this moment will have the same password as the drupal user.
  • When an existing user applies for an account (hook_user, $type='update')
    Here is the trouble. If the user is updating his/her password at the same time (types the new password in both textfields), the new user password will be available to create the email account. However, in most cases, the user just applies to the account without change his/her password. In this case, user password is not available into the hook to do this action. This is the reason to use "username" as the password for the email account.

    • Workarounds?
    1. Generate a random password.
    2. Stop creating accounts on the later case.

    Suggestions are welcome.

    Login or register to post comments

    #3

    desm0n - June 5, 2006 - 06:14

    As per your suggest i would say that a random password assigned to that email account would be best as using the username is seriously going to cause issues in the long term. Or better still, ask the user a password to set and assign that to the email account only ? So he/she has a seperare managable password for both drupal and his/her email account.

    You could also give the user (if this is possible) the option at a latter date to change passwords for his/her email account through the my account user interface.

    Login or register to post comments

    #4

    bluecobalt - June 5, 2006 - 22:30

    hey guys,

    yecarrillo, thanks for this module. i've been needing this for a while.

    i would prefer that users that are creating their account after already having a drupal account get to choose their password at time of email account creation.

    and, i agree with desm0n, i would love to see the ability for users to update their email password in their drupal account.

    peace,
    blue

    Login or register to post comments

    #5

    yecarrillo - June 8, 2006 - 01:46

    I wll try to do materialize your suggestions next weekend.

    About changing the email password from Drupal, in fact, the module already do that. Every time the user update her/his Drupal password, a request is send for changing the email password too.

    Login or register to post comments
     
     

    Drupal is a registered trademark of Dries Buytaert.