Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-1876

Encrypt all external system passwords in Crowd's database

    XMLWordPrintable

    Details

    • Feedback Policy:

      Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Description

      Atlassian Update - 20 October 2020

      Hello everyone,

      We’re happy to inform you that we’ve released Crowd 4.2 which encrypts all passwords to external systems that are stored in the Crowd’s database. These are:

      • Passwords that allows Crowd to connect to LDAP / AD directory
      • Remote Crowd directory application passwords
      • Azure AD web application keys
      • SMTP mail passwords
      • Proxy passwords

      We’d like to emphasize that the encryption of application.password stored in crowd.properties file which is used by clients connecting to Crowd is not in the scope of this ticket. This suggestion is tracked in another ticket: CWD-5649.

      Best regards,

      Crowd team

      Anywhere that a password is stored in plaintext in Crowd's database, it should be encrypted. This will not stop a knowledgeable attacker, but may slow them down.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              doflynn David O'Flynn [Atlassian]
              Votes:
              53 Vote for this issue
              Watchers:
              51 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: