-
Suggestion
-
Resolution: Duplicate
-
None
-
None
-
jira.atlassian.com
I signed up for an account at jira.atlassian.com and my password was emailed to me in plain text. Passwords should never be handled this way. A password should be hashed with md5 or another function and the hash of the password stored. When the user logs in the password he gives is then hashed with the same function and the hashes are compared. This way, if the database is compromised, your user's passwords are not. Emailing passwords should NEVER be done. Emails are routinely archived in many US businesses (our government thinks its a good idea) and reviewed by people who do not have, for example, my access level. By emailing my password, you may have given a DBA access to non-public information which they are not authorized to have.
- duplicates
-
JRASERVER-6175 Passwords sent as clear text in email
- Closed
- is related to
-
JRASERVER-15122 Encrypt passwords sent from login portlet/page to server.
- Closed