Displaying customer passwords to admin

sparker2 · #41 04-02-2010, 09:15 PM

Works perfect in version 4.3.1. Just wanted to say thanks.

Pyro · #42 04-02-2010, 09:19 PM

Sparker 2: did you use the steps outlined in post #36?

cautious · #43 04-04-2010, 03:20 AM

1++
It is worrisome that some people are justifying this mod with ...because users have problems with their passwords, therefore the admin need to see their [users] passwords to go in to help them modify their profiles...

In other words, convenience is placed ahead of security. Imagine if BOA [bank of america] has a similar functioning software and BOA admins insist on mods that will display customers passwds in order to be able to help those customers! No one would want that and, certainly, the responsible Federal authority will not certify such software suite.

2++
It appears that QT shares some of the blame for this problem. Although it can still be defeated just like anything else, at least QT should implement a one-way hash functionality on the front end [client side] so that only the hash of the user's passwd get transported via the ssl channel and get saved by the time it gets to the server side. In this case, the admin will not be able to see the actual passwd unless she resorts to brute force since she would still have access to the hash value in the server. On the other hand, if someone then creates a mod on the client side to either disable the client side passwd hashing functionality or save an un-hashed copy of the the customer's passwd the whole world, especially diligent QSAs will be able to more easily flag such sites as in blatant violation of basic security, basic PCI compliance principles. Security experts have consistently emphasized there is no perfect security if the system is to be conveniently useful and that sensible security is a balance between security and convenience. So I urge QT to look into this problem to implement a solution such as putting the hashing functionality on the client side.

3++
In this connection, I have also seen some policies in which merchants claim/guarantee security because, although they save both CC numbers and the corresponding CVV codes, they delete all credit card information from their servers after 30 days. I hope you don't operate this way. The CVV code and the CC number should not be saved together as you do not need the info after the authorization and as long as the authorization is valid. The merchants that save them claim convenience because they need the CC info to process returns or to charge customer the extra due to the difference between the return and substituted item in case of exchanges.

4++
By the way, in the current design, a mod is not needed for an admin to see a customer's passwd value. Just install webdev plug-in into FireFox (FF). Then login as admin and bring up the customer's profile. Scroll down to the passwd section. Verify that it is masked, displaying as dots. Then (since you've installed the appropriate webdev FF plugin) reveal the passwd by clicking FF's Forms > Show passwords. Voila! the passwd exposed.

a1deano · #44 10-01-2010, 11:15 AM

Anyone tried in v4.4

swifty1 · #45 05-22-2011, 12:43 AM

Is there a way to only show the password for "Usertype"customer and not the Administrator.

JWait · #46 05-23-2011, 11:09 AM

Quote:

Originally Posted by swifty1

Is there a way to only show the password for "Usertype"customer and not the Administrator.

You could encapsulate the code inside a {if $usertype ne "A"}code{/if}

gravel · #47 08-17-2011, 11:18 AM

I would also like to modify this so if the profile being viewed is an Admin, it does not show the password.

Quote:

Originally Posted by JWait

You could encapsulate the code inside a {if $usertype ne "A"}code{/if}

If anyone figured this out, please post the code. The code already has an if statement about $usertype, referring to the active user, not the profile being viewed, and I don't know how to modify it.

Code:

<INPUT {if $usertype eq "A"} type=text {else} type="password" {/if} id="passwd1" name="passwd1" size="30" maxlength="30" value="{$userinfo.passwd1}">

Thanks,
Dan

david@caworldwifi.com · #48 11-18-2011, 04:01 PM

In ver 4.4.4, how can I see the customer's password when i get a registration notice?

JWait · #49 11-20-2011, 06:49 AM

Not to be obtuse, but if you use Firefox there is "web developer toolbar" addon that will allow you to see any passwords on the web page in the browser window.

carpeperdiem · #50 11-20-2011, 11:04 AM

I find this entire thread to be offensive.
There is a reason I use crappy temp passwords for ecom sites, simply because the passwords are meaningless. If anyone wants to know my order history at a website, let them crack my password.
The fact that we (merchants) have the ability to see a user password is simply wrong.
We should all stop buying from x-cart stores.
Or shut down the password features -- and tell the customers as they "register" that their password is insecure.
Carrie, I would pull this mod, but that's just me.
Just because we can doesn't mean we should, right?