scottydawg Posted March 9, 2007 Share Posted March 9, 2007 I just wanted to point something out as I felt its a security concern within the IPS Customer Center.In the profile area you have a place to put account information to help with the technical support to help with board issues. Passwords are shown in plain text and if your IPS account were to say become compromised anyone would have access to that information to any licenses that you currently own.A suggestion would be to at least mask the passwords to prevent this. Link to comment Share on other sites More sharing options...
.John. Posted March 9, 2007 Share Posted March 9, 2007 To be frank, if the Customer Center were compromised they would have known your e-mail address and password to sign in. Chances are, your IPS Customer Center password and Admin password are the same ;)Now don't start bashing me saying yours isn't, that's great - but many/most that is the case... Link to comment Share on other sites More sharing options...
scottydawg Posted March 9, 2007 Share Posted March 9, 2007 To be frank, if the Customer Center were compromised they would have known your e-mail address and password to sign in. Chances are, your IPS Customer Center password and Admin password are the same ;)Now don't start bashing me saying yours isn't, that's great - but many/most that is the case...Oh, I wont bash you for it. =pI never knew the feature was there until today and I start typing in the information. I'm just looking out for security in general Link to comment Share on other sites More sharing options...
Guest Posted March 9, 2007 Share Posted March 9, 2007 showing it in plain text could be indeed a compromising situation if someone is looking over your shoulder... Link to comment Share on other sites More sharing options...
cojo Posted March 9, 2007 Share Posted March 9, 2007 To be frank, if the Customer Center were compromised they would have known your e-mail address and password to sign in. Chances are, your IPS Customer Center password and Admin password are the same ;)Now don't start bashing me saying yours isn't, that's great - but many/most that is the case...Not necessarily. If a security hole is discovered, a hacker could use SQL injection to retrieve contents in a database. This is why one should never show visitors any specific error details related to a database call. Sometimes it gives enough info or flags a possible hole for a malicious person to exploit. If the stored data isn't encrypted, they found a gold mine. I agree w/ scottydawg all the passwords there at least should be masked and stored info encrypted for security reasons. Link to comment Share on other sites More sharing options...
Management Lindy Posted March 10, 2007 Management Share Posted March 10, 2007 Point taken and an easy enough fix. No problem. :) Link to comment Share on other sites More sharing options...
scottydawg Posted September 30, 2007 Share Posted September 30, 2007 Any update on this? The problem still exists. Link to comment Share on other sites More sharing options...
Luke Posted October 1, 2007 Share Posted October 1, 2007 The reason why the passwords are stored in plain text is so the support rep can login to the account and perform tasks requested by the customer. On the employee side, this has to be seen. On the customer side, I do agree it would be beneficial to mask it just incase they logged in at a coffee shop or something and forgot to log out. On the employee side, it really isn't a concern. Link to comment Share on other sites More sharing options...
elj Posted October 2, 2007 Share Posted October 2, 2007 Obviously the passwords have to be kept unencrypted so they can be used by the staff for support, but I don't think it'd be too much hassle to change the two passwords to four masked boxes (2x password, 2x confirm) on the customer-side. :) Link to comment Share on other sites More sharing options...
scottydawg Posted October 21, 2007 Share Posted October 21, 2007 Im not worried about it on the employee side. I completely understand that they cant be encrypted. But I think that when the passwords are added to the system, they should not be able to be seen by the cst.An example would be that the cst could enter them in plain text, but once submitted the passwords would not be shown and the only option would be to change the password. Link to comment Share on other sites More sharing options...
stoo2000 Posted October 21, 2007 Share Posted October 21, 2007 Well, in theory you could use Mcrypt to encrypt, and then un-encrypt it when the staff member wants to see it, obviously you'd have to store a random salt somewhere, maybe ? Link to comment Share on other sites More sharing options...
Dr. Awesome Posted October 21, 2007 Share Posted October 21, 2007 How about this, a script delivers a masked password to the client side, while it gets decrypted for the employee side. Basically, logging in from the employee's section allows you to see it. Link to comment Share on other sites More sharing options...
.Ryan Posted October 21, 2007 Share Posted October 21, 2007 Or there could just be the standard box and a button that says hide and it closes so you have to "unhide" it so you can view the password and if someone is peaking at your screen they can't see it.So basically a collapsible field, that expands and collapses... Link to comment Share on other sites More sharing options...
Dr. Awesome Posted October 22, 2007 Share Posted October 22, 2007 That could work, but the idea I have seems to be more reliable. If it's something you say, I'd expect IPS to implement it how the profiles change sections. Those can have major lag at times, so your idea while very good and creative, has it's issues. ;) Link to comment Share on other sites More sharing options...
Louis M. Posted October 26, 2007 Share Posted October 26, 2007 WHen storing information in the system I always change the password before and after IPS helps with the system. If there is a password in the system its not valid for too long. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.