http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3477 MJR <mjr@ttllp.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mjr@ttllp.co.uk --- Comment #2 from MJR <mjr@ttllp.co.uk> 2009-09-25 19:54:52 --- (In reply to comment #1)
This worries me, particularly if *staff* passwords are also stored in plaintext. Although it may be water under the bridge with respect to the sponsoring library, typical best practice for password security is to store a password as a one-way hash, and if a patron forgets their password, have the library *reset* it rather than read it off to the patron.
I agree: addition of this syspref appears to be a security bug. It would also prevent a koha login being proof of a user's activity in any security breach. I'm surprised if this isn't against privacy laws in the US, but I'm often surprised by how weak US privacy safeguards are. Should this request be resolved as a WONTFIX? -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.