[Koha-bugs] [Bug 3477] Store patron OPAC passwords in plain text
bugzilla-daemon at kohaorg.ec2.liblime.com
bugzilla-daemon at kohaorg.ec2.liblime.com
Fri Sep 25 21:54:52 CEST 2009
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3477
MJR <mjr at ttllp.co.uk> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mjr at ttllp.co.uk
--- Comment #2 from MJR <mjr at ttllp.co.uk> 2009-09-25 19:54:52 ---
(In reply to comment #1)
> This worries me, particularly if *staff* passwords are also stored in
> plaintext. Although it may be water under the bridge with respect to the
> sponsoring library, typical best practice for password security is to store a
> password as a one-way hash, and if a patron forgets their password, have the
> library *reset* it rather than read it off to the patron.
I agree: addition of this syspref appears to be a security bug. It would also
prevent a koha login being proof of a user's activity in any security breach.
I'm surprised if this isn't against privacy laws in the US, but I'm often
surprised by how weak US privacy safeguards are.
Should this request be resolved as a WONTFIX?
--
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list