I managed to accidentely lock myself out of my stash instance this morning during a routine upgrade and while looking for the name of a local stash user account I noticed that the password for the Crowd User Directory I'd setup (incorrectly) was stored as plain text in table cwd_directory_attribute immediately after the 'name' of the user directory (update: attribute name = application.password).

I know that someone there knows this little piece of wonderful intel already, but I thought - as plain text passwords in the database are generally regarded as a 'bad idea' - that I should create an issue to request that they be encrypted. as they are in other Atlassian tools (I believe).

Update: 20140604

• Turns out I was wrong - I checked my JIRA instance and the user directory password is stored in plain text there as well. I will create an issue there as well, and in the other tools as I get a chance to check them.

Feel free to adjust the priority as you see fit - I haven't given any thought to how SWIM could use this information in a harmful way but if something occurs to me I'll add it as a comment.

Cheers,
-wc