Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Duplicate
Fix Version/s: None
Component/s: Email notifications, Project Administration - Permissions
Labels:
None
Environment:
jira.atlassian.com

Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Description

I signed up for an account at jira.atlassian.com and my password was emailed to me in plain text. Passwords should never be handled this way. A password should be hashed with md5 or another function and the hash of the password stored. When the user logs in the password he gives is then hashed with the same function and the hashes are compared. This way, if the database is compromised, your user's passwords are not. Emailing passwords should NEVER be done. Emails are routinely archived in many US businesses (our government thinks its a good idea) and reviewed by people who do not have, for example, my access level. By emailing my password, you may have given a DBA access to non-public information which they are not authorized to have.

Attachments

Issue Links

duplicates

JRASERVER-6175 Passwords sent as clear text in email

Closed

is related to

JRASERVER-15122 Encrypt passwords sent from login portlet/page to server.

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Andrew Dixon

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 13/Jul/2006 2:45 PM

Updated:: 19/Sep/2019 6:06 AM

Resolved:: 14/Jul/2006 2:37 AM