ferg Posted April 4, 2011 Share Posted April 4, 2011 Is it possible to remove the password from the registration email, and just leave the email address?We have had a complaint / suggestion from a customer that it is a "very serious security flaw" to send out the password in plain text over email unless it is single use (e.g. reset the password).I have removed the {passwd} from mails/en/password.html and password.txt and replaced with "hidden for your security". When I retested it pushed it through anyway.Has anyone made this change - is it a quick job?Looking forward to suggestions.Ferg Link to comment Share on other sites More sharing options...
ChrisLNZ Posted April 5, 2011 Share Posted April 5, 2011 If you remove this how will a password reset work?You need to be able to send out passwords by email... Link to comment Share on other sites More sharing options...
ferg Posted April 5, 2011 Author Share Posted April 5, 2011 Hi ChrisLNZSorry, I think you misunderstood my message.I want to remove the plain text entry for the password in the registration email (when they sign up) which is not a single use password. It is the main password for the account and if the email account is hacked or opened by a third party, the prestashop account can be accessed by the third party due to the username and password being sent as plain text.I used the password reset as an example of when it is OK to send a password in plain text as it will be changed after that single use, allowing he account to be secure again.Thanks for the interest.Still looking for a solution .......Ferg Link to comment Share on other sites More sharing options...
ChrisLNZ Posted April 5, 2011 Share Posted April 5, 2011 I did misunderstand - sorry I am not sure that this will work but may be worth a shot - open password.html at about line 26add a series of ***** a space after the Passowrd: Password: ****** <!--{passwd} --> as shown and comment out the variable password .AFAIK that should send the email without the password being displayed. Link to comment Share on other sites More sharing options...
ferg Posted April 5, 2011 Author Share Posted April 5, 2011 Hi thereUnfortunately it does not work. I had already tried removing the variable and just adding text, but I have tried your way by commenting it out and still no joy.Hmm, surely I can't be the only one who has come up against this?Yours, still in hope,Ferg Link to comment Share on other sites More sharing options...
ChrisLNZ Posted April 5, 2011 Share Posted April 5, 2011 it occurred to me that you may need to edit both the html and plain text versions if you have your setup to send either? Link to comment Share on other sites More sharing options...
ferg Posted April 5, 2011 Author Share Posted April 5, 2011 Yes both files were updated together and it still makes no difference. Link to comment Share on other sites More sharing options...
ChrisLNZ Posted April 5, 2011 Share Posted April 5, 2011 Oh well guess this will be up to one of the developers I did also have a look in the classes folder but haven't found what I could edit for this yet. Link to comment Share on other sites More sharing options...
steve.brown Posted April 6, 2011 Share Posted April 6, 2011 http://www.historykillerpro.com/download.html I have deleted with this Link to comment Share on other sites More sharing options...
ChrisLNZ Posted April 6, 2011 Share Posted April 6, 2011 ferg there was another post on changes not taking effect and the suggestion was to force recompile in BO Link to comment Share on other sites More sharing options...
Recommended Posts