Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Forgot password=send password via email: unsecure?


gazzzzzza

Recommended Posts

When your new password gets auto emailed to you using the 'forgotten password' function we are worried as the email that is received contains both the username (email address) and password. Surely this is very unsecure? Is it possible to encrypt this data when it is sent using the php mail function? Same thing goes with the credit card data being sent (even though it is not the whole number).

 

We are using https:// but i dont think this affects the mail function.

 

any suggestions/reasurances! will be greatly received. :D

always here to offer some useless advice....

Link to comment
Share on other sites

Do you use Outlook, Yahoo, Hotmail, etc? Email is rarely ever secure. Even if you encrypted the info into 'secret code' (lol) as is done for instance with Hushmail, the person on the receiving end needs to be able to decrypt it.

 

If you're simply talking about encrypting it in the sense of 128-bit SSL, forget it. You send it securely over the fiber optics and then it gets dropped on an email server where any sysop can get to it.

 

Anyway, you're right, it's not terribly secure. The idea is though that if the person can get into the email acc't, it must be their user/pass. Ha! That's the way it works though.

 

Does osC even use MD5 for the pass? I haven't even looked.

Link to comment
Share on other sites

osc uses an encryption for creating the passwords but when it is sent to the user it is in plain text. it is encrypted in the database etc.

 

and the username of the osc user is their email address which is in the headers of the email obviously! so both are right there for anyone to try to intercept.

 

each users' email package may be different - i do not know what every one of our users uses.

 

i guess we just have to use it and hope for the best then.... :(

 

i thought there might be a way to encrypt the mail function in php.

always here to offer some useless advice....

Link to comment
Share on other sites

i guess we just have to use it and hope for the best then.... 

 

i thought there might be a way to encrypt the mail function in php.

Anything can be encrypted on the server, but it has to be readable by the user's email client in order to be of benefit.

 

I would think that it would be possible for someone good with PHP to write a mod that would send them a link to a secure page in the store that would let them enter a new password for that account without having to enter the existing one. Then after it was done, disable the release from having to enter the existing password for that account.

 

That way no password is sent open text and the window of vulnerability is limited to the time between when the link is sent and when the link is used. I think it would make a great contrib.

Rule #1: Without exception, backup your database and files before making any changes to your files or database.

Rule #2: Make sure there are no exceptions to Rule #1.

Link to comment
Share on other sites

yep

 

you offering?!! :D

 

just kidding

that would be great but i was hoping that there would be a simpler way-a kind of

 

encrypt email

send email

upon recieve auto decrypt email

 

wishful thinking... ;)

 

nevermind

i shall make do with what we have!

always here to offer some useless advice....

Link to comment
Share on other sites

Without a prior agreement between you and the recipient, the key to decrypt the email would have to be present in the email....so anyone who intercepted it would have all the info anyway.

Chris Dunning

osCommerce, Contributions Moderator Team

 

Please do not send me PM! I do not read or answer these often. Use the email button instead!

 

I do NOT support contributions other than my own. Emails asking for support on other people's contributions will be ignored. Ask in the forum or contact the contribution author directly.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...