[Koha-bugs] [Bug 3477] Store patron OPAC passwords in plain text
bugzilla-daemon at liblime.com
bugzilla-daemon at liblime.com
Tue Aug 4 03:17:09 CEST 2009
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3477
--- Comment #1 from Galen Charlton <gmcharlt at gmail.com> 2009-08-04 01:17:09 ---
(In reply to comment #0)
> Sponsored by East Brunswick Public Library, East Brunswick, NJ, USA.
>
> Plaintext passwords can only be stored for patrons added or patron passwords
> edited after the syspref is turned on; it cannot retroactively convert existing
> passwords. Thus, if this capability is desired, the feature must be present
> and the syspref turned on before patron import. Libraries should consider the
> security implications of having plaintext passwords visible.
This worries me, particularly if *staff* passwords are also stored in
plaintext. Although it may be water under the bridge with respect to the
sponsoring library, typical best practice for password security is to store a
password as a one-way hash, and if a patron forgets their password, have the
library *reset* it rather than read it off to the patron.
--
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list