http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3477 --- Comment #1 from Galen Charlton <gmcharlt@gmail.com> 2009-08-04 01:17:09 --- (In reply to comment #0)
Sponsored by East Brunswick Public Library, East Brunswick, NJ, USA.
Plaintext passwords can only be stored for patrons added or patron passwords edited after the syspref is turned on; it cannot retroactively convert existing passwords. Thus, if this capability is desired, the feature must be present and the syspref turned on before patron import. Libraries should consider the security implications of having plaintext passwords visible.
This worries me, particularly if *staff* passwords are also stored in plaintext. Although it may be water under the bridge with respect to the sponsoring library, typical best practice for password security is to store a password as a one-way hash, and if a patron forgets their password, have the library *reset* it rather than read it off to the patron. -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.