WordPress.org

Ready to get started?Download WordPress

Forums

Cimy User Extra Fields
[resolved] wp_signups password (9 posts)

  1. Łukasz Wilk
    Member
    Posted 1 year ago #

    Hi,

    Marco I wonder if you plan to do something with wp_signups table. Your plugin is really nice, but I'm a bit worried about security. The passwords in this table are stored in open text format which i don't believe is a good idea.

    For future reference it would be great if user list also showed not activated accounts and option to block account.

    Best
    Łukasz

    http://wordpress.org/extend/plugins/cimy-user-extra-fields/

  2. Marco Cimmino
    Member
    Plugin Author

    Posted 1 year ago #

    Yes it is a bit bad about the passwords, someone else complained about it. A fix is to not include password field in the registration process.

  3. KZeni
    Member
    Posted 1 year ago #

    I too came across this.

    Would there be some way to remove the password that's stored in wp_signups after that user has a user_pass present in wp_users? I'm not sure when would be the best point in the process to check for that, but I don't see why the password would need to be stored there indefinitely if it's only needed for part of the registration process. Right?

    In leu of a full fix... the addition of a note next to the option on the settings page mentioning this, otherwise unknown, weakening of password security would be nice to see.

    Thanks!

  4. Marco Cimmino
    Member
    Plugin Author

    Posted 1 year ago #

    v2.3.12 will contain the fix suggested by KZeni, that means that password will be still present in a plain text format, but right after the confirmation by the registrant then it will be deleted.

    I can still apply a code/decode function to the password, but I believe it will not change much the situation, an user can still decode it looking at the source code.

    Does this make sense?

  5. KZeni
    Member
    Posted 1 year ago #

    Yup, I see what you mean. I'm somewhat curious what happens to sites that had this set pre-2.3.12... will the users created before the update be left untouched, or is there some way to go through & clean those up when the update is first ran? A thought.

    Thanks for taking care of this Marco!

  6. Marco Cimmino
    Member
    Plugin Author

    Posted 1 year ago #

    Indeed, old passwords won't be deleted, the patch has effect only for new registered users.

  7. Marco Cimmino
    Member
    Plugin Author

    Posted 1 year ago #

    v2.4.0 released with the fix.

  8. KZeni
    Member
    Posted 1 year ago #

    Thanks Marco!

    In regards to cleaning a database with previously stored passwords, it seems that the wp_signups table can have the meta info cleared for any user that has already been activated (since this info has been copied to the "active" location for user info).

    Then there's just the users that have yet to be activated. These still need the password to remain intact in order for that password to be used for their login, and this is the expected behavior moving forward. These signups can be purged at the administrator/owner's discretion if they aren't activated within a certain duration.

    This isn't implemented within the plugin, but I'm just stating possible actions that can be done to the database for others looking for suggestions. *I should state these methods are, as yet, untested so be sure to backup your database before doing anything (which you should be doing anyway).

  9. Marco Cimmino
    Member
    Plugin Author

    Posted 1 year ago #

    You can run this SQL query from your DB manager, will delete all activated users.
    DISCLAIMER 1: untested!
    DISCLAIMER 2: your table name may be different due to different prefix.

    DELETE * FROM wp_signups WHERE active = 1

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.