| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
Displaying customer passwords to admin | ||||
|
|
Thread Tools | Search this Thread |
#51
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
carpeperdiem, seriously, what is the problem? Its not like anything other than a customer's address, email address, and phone number is going to be associated with their account. All credit card information had better be separate or you have much bigger problems than someone being able to see a password.
And its not just x-cart, as I pointed out in my previous post, anyone using Firefox is able to see every password displayed on a screen on any website.
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#52
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
I agree with carpeperdiem - the password is there for a reason. It should not be even showing as a field in admin. There is no need for it (admin can always login as that customer). Admin should not be able to see or modify customer passwords. If needed customers can reset password or create new account.
Call your bank and ask them to tell you the password on your account - they won't, they simply can't, it is not showing for them. But they can tell you all the other info - name, address, phone, username...
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#53
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
Passwords are expected to be private and encrypted. That is my expectation as a customer.
Can Amazon or Oldnavy or iTunes or other billion dollar stores see their customer passwords from the backend? I am fairly confident they can't. Why should puny-ass x-cart stores want to behave differently? It's about trust. If the xcart platform is to be taken seriously by customers, we (merchants) better treat our customers like the goldmine they are. There is no justification for unencrypted passwords, anywhere. None. There are tools to recover forgotten passwords, and an admin can make a new temp password (and require a password change on first login), built in. The principle here is privacy, and an expectation of privacy between customer and store. By circumventing this and using an unencrypted password, a store breaks that trust.
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#54
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Quote:
While you are fairly confident they can't, they most likely can. How else can they tell you pretty much everything about your account?
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#55
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
Of course they have access to account data. That doesn't mean they can see an encrypted password. That's the point of this -- OF COURSE the merchant or bank NEEDS to have 100% access to all account data -- but the customer password will and should always remain encrypted. We've all had password issues of some sort over the years - and most systems are designed to NOT let a call center or admin in the backend EVER see a customer password. TO protect the merchant as much as the customer.
That's the point. Not about a call center flunky knowing your checking account balance -- the systems are designed to prevent passwords from being visible to anyone but you. And if our system permits this, then golly geez it's time to fix this design flaw immediately. I can't think of ANY circumstances where an admin needs to know the actual password of a customer. There are NO situations where this is needed. Period. In the case of a forgotton password, use password recovery. In the case of a username or email address change, use the admin, force a new temp password with a required password change on first login. I don't EVER want to know my customers passwords. I expect this security hole to be patched. Can we declare this a product default? Do the PCI folks care about this "feature"
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#56
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
[quote=carpeperdiem]And if our system permits this, then golly geez it's time to fix this design flaw immediately./QUOTE]
That is my point, its not just "our system". Anytime anyone is looking at a web page anywhere that has a password field on it anyone can decrypt it with a simple web browser addon. That should be reason enough to not include any really important information like credit card numbers, social security numbers, tax numbers, etc. to be directly associated with that password.
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#57
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
I am declaring this a product defect.
User passwords should NEVER be displayed in the admin, even if they are hidden by dots.
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#58
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Quote:
This is because the password is displayed decrypted in password text field in admin. If it is not displayed at all the FF dev tools will not be able to show it to you
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#59
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Quote:
I realize that, but since passwords are displayed encrypted at least 99.9% elsewhere on the internet it seems kind of ludicrous to complain about its presence in x-cart, particularly when it IS displayed encrypted by default. To call it a "defect" is ridiculous IMO. If you don't want to see the password then don't use the mod or addon, but that isn't going to make others not use them.
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#60
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
Quote:
No. It is NOT displayed encrypted. It is simply displayed (unencrypted), with a * character hiding the output. But the underlying password is in the html, and the code is using a browser (client side) feature to "hide" the password. That's useless. X-cart needs to ENCRYPT the password, or simply not display it at all. I stand by my statement, "design defect".
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
|
|||
X-Cart forums © 2001-2020
|