scottydawg Posted March 9, 2007 Posted March 9, 2007 I just wanted to point something out as I felt its a security concern within the IPS Customer Center.In the profile area you have a place to put account information to help with the technical support to help with board issues. Passwords are shown in plain text and if your IPS account were to say become compromised anyone would have access to that information to any licenses that you currently own.A suggestion would be to at least mask the passwords to prevent this.
.John. Posted March 9, 2007 Posted March 9, 2007 To be frank, if the Customer Center were compromised they would have known your e-mail address and password to sign in. Chances are, your IPS Customer Center password and Admin password are the same ;)Now don't start bashing me saying yours isn't, that's great - but many/most that is the case...
scottydawg Posted March 9, 2007 Posted March 9, 2007 To be frank, if the Customer Center were compromised they would have known your e-mail address and password to sign in. Chances are, your IPS Customer Center password and Admin password are the same ;)Now don't start bashing me saying yours isn't, that's great - but many/most that is the case...Oh, I wont bash you for it. =pI never knew the feature was there until today and I start typing in the information. I'm just looking out for security in general
Guest Posted March 9, 2007 Posted March 9, 2007 showing it in plain text could be indeed a compromising situation if someone is looking over your shoulder...
cojo Posted March 9, 2007 Posted March 9, 2007 To be frank, if the Customer Center were compromised they would have known your e-mail address and password to sign in. Chances are, your IPS Customer Center password and Admin password are the same ;)Now don't start bashing me saying yours isn't, that's great - but many/most that is the case...Not necessarily. If a security hole is discovered, a hacker could use SQL injection to retrieve contents in a database. This is why one should never show visitors any specific error details related to a database call. Sometimes it gives enough info or flags a possible hole for a malicious person to exploit. If the stored data isn't encrypted, they found a gold mine. I agree w/ scottydawg all the passwords there at least should be masked and stored info encrypted for security reasons.
Management Lindy Posted March 10, 2007 Management Posted March 10, 2007 Point taken and an easy enough fix. No problem. :)
scottydawg Posted September 30, 2007 Posted September 30, 2007 Any update on this? The problem still exists.
Luke Posted October 1, 2007 Posted October 1, 2007 The reason why the passwords are stored in plain text is so the support rep can login to the account and perform tasks requested by the customer. On the employee side, this has to be seen. On the customer side, I do agree it would be beneficial to mask it just incase they logged in at a coffee shop or something and forgot to log out. On the employee side, it really isn't a concern.
elj Posted October 2, 2007 Posted October 2, 2007 Obviously the passwords have to be kept unencrypted so they can be used by the staff for support, but I don't think it'd be too much hassle to change the two passwords to four masked boxes (2x password, 2x confirm) on the customer-side. :)
scottydawg Posted October 21, 2007 Posted October 21, 2007 Im not worried about it on the employee side. I completely understand that they cant be encrypted. But I think that when the passwords are added to the system, they should not be able to be seen by the cst.An example would be that the cst could enter them in plain text, but once submitted the passwords would not be shown and the only option would be to change the password.
stoo2000 Posted October 21, 2007 Posted October 21, 2007 Well, in theory you could use Mcrypt to encrypt, and then un-encrypt it when the staff member wants to see it, obviously you'd have to store a random salt somewhere, maybe ?
Dr. Awesome Posted October 21, 2007 Posted October 21, 2007 How about this, a script delivers a masked password to the client side, while it gets decrypted for the employee side. Basically, logging in from the employee's section allows you to see it.
.Ryan Posted October 21, 2007 Posted October 21, 2007 Or there could just be the standard box and a button that says hide and it closes so you have to "unhide" it so you can view the password and if someone is peaking at your screen they can't see it.So basically a collapsible field, that expands and collapses...
Dr. Awesome Posted October 22, 2007 Posted October 22, 2007 That could work, but the idea I have seems to be more reliable. If it's something you say, I'd expect IPS to implement it how the profiles change sections. Those can have major lag at times, so your idea while very good and creative, has it's issues. ;)
Louis M. Posted October 26, 2007 Posted October 26, 2007 WHen storing information in the system I always change the password before and after IPS helps with the system. If there is a password in the system its not valid for too long.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.