New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passwords not hashed or encrypted #1975
Comments
That's what the |
For password encryption there is a module named auth_crypt: https://www.odoo.com/apps/trunk/auth_crypt/ |
"Plain text passwords "might" be useful in development, as people from odoo say." |
Yes, I also believe the default behaviour should be encrypted, with optional module to make it clear text (for development purposes, may be?). But the current situation is the described one. |
Oh yeah the example I gave was just for the admin user. You can also ofcourse do this: |
Why has this issue been closed? Has their been a fix to the problem? |
They shouldn't be encrypted, they should be hashed (encryption = atleast 1:1 ratio of password length the encrypted output length and is reversible, hashing will result in a fixed lenght and non reversible) @xmo-odoo please explain to me how knowing passwords in development is of any use to a developer. You should make it as easy as possible for people to succeed with your project, makign it so they need to remember to add security before pushing is just asking for cofiguration errors (people forgetting to add). Also, allot of people just don't understand password security.. So they won't ever get rid of plain text... Make it easy for people to succeed, hard to fail. |
The fix was always there (install auth_crypt), auth_crypt is automatically installed in v8 (since 5388eee)
Cryptographic hashing is a subset of encryption, so are KDFs. In Odoo 8, auth_crypt defaults to pbkdf2_sha512 via passlib and this can be overridden with a different KDF if desired or necessary. As far as I know it has never used a reversible encryption scheme, although it has historically used a weak KDF (md5crypt).
Why would I explain a position I never held? |
This has been an issue on OpenERP but also exists on Odoo:
See for yourself. In this example the database named: somedb has user admin with password admin. Login to postgres commandline:
The text was updated successfully, but these errors were encountered: