Storing passwords in plain text is insecure.

Resolved cjluck
(@cjluck)

10 years, 1 month ago

This was in a thread a year ago, and marked as resolved and closed, but the plugin still stores the user’s password in plaintext in the user_meta table before they are verified. This is a major security risk. Please advise a solution, and make a change in the next version.

“First off–I love this plugin. Did everything I wanted to do with my site’s login area in a few clicks and it was clear. Seriously–a great thing.

The plugin (sometimes?) stores passwords in plaintext to send the right notification emails, however. In my case, this is a security problem, especially since users are entering their passwords upfront before they receive verification emails etc. It would really suck to have my site leak a user’s default pass along with their email, which is totally a possibility if my site were compromised.

The field is stored_user_password in the wp_user_meta table. I’ve commented out/edited the appropriate lines in my copy of the plugin, but thought I’d bring this to your attention as it struck me as a serious bug for any larger site that would be running this code…

http://wordpress.org/extend/plugins/register-plus-redux/”

https://wordpress.org/plugins/register-plus-redux/

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author radiok
(@radiok)

10 years, 1 month ago

I’ve addressed this quite a few times, but I’ll do it again. Passwords could be encrypted, but they cannot be hashed because we need to restore that password after the user is activated. The simple solution is not to allow user defined passwords. You may say, well, regardless, why not encrypt it? Well, it’s a trivial task, certainly, but… If your usermeta table is compromised, you have a bigger problem than a few user passwords being exposed, especially considering after the user activates that meta data is dropped, so this is only a temporary placement of sensitive data. Again, if back-end data access is obtained, this will most likely be the least of you problems. And, honestly, what’s the point, anyone with the skill to get this data could EASILY decrypt it. My encryption method would be in the Register Plus Redux PHP files which are open source and freely available. And finally, they cannot login with this information as these users are inherently unactivated. Therefore this is a bit of a long con. They have to sit on the password until the user drops off that table.

Considering the number of times this has come up, I will look into creating a warning on the settings page notifying administrators of the potential weakness.

Thread Starter cjluck
(@cjluck)

10 years, 1 month ago

Thank you for responding to my message.

I understand that there are several things that make this something that is the least of worries if someone gains access to the database, but I still don’t like the idea of passwords being stored in plain-text.

Maybe have an option to disable storing the password in the user_meta table?

Plugin Author radiok
(@radiok)

10 years, 1 month ago

To not store the password in user_meta, you must not allow user set passwords.

I did, recently have the beginning of an idea. Perhaps I could reverse engineer how WordPress will ultimately hash the password and store that hash in user_meta then move that hash to the appropriate location after the user is activated… It’s something to consider.

Thread Starter cjluck
(@cjluck)

10 years, 1 month ago

Sure. Maybe there is a hook or filter to use the same hashing scheme that WordPress uses.

Thanks for taking a look at this. I really appreciate it.

jamcat22
(@jamcat22)

9 years, 8 months ago

Does this plugin still store in plain text?

jamcat22
(@jamcat22)

9 years, 8 months ago

Whoops! Just saw that this has been marked resolved. Sorry.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Storing passwords in plain text is insecure.’ is closed to new replies.