[4.20] Email account password is saved in plain text in database.

1 year ago
Hi,

Just curious to see if it would be feasible to store the email account password not so plainly? Maybe add a dash of hashing? That would be for the emails listed in /Admin/EmailAccount/List/

Thank you.
1 year ago
I don't think it would be possible to hash it as NopCommerce would need to retrieve that password.

Possibly encrypted password.
1 year ago
Right, anything should be better then saving in plain text correct?
As long as someone can not simply see the password by peeking inside the DB would be advantageous I think...
1 year ago
If you want you can encrypted the password when the email record is saved
Then decrypted the password when you read the email record from the database
Have a look at the routines in EmailAccountService in
nopCommerce_4_Source\src\Libraries\Nop.Services\Messages\EmailAccountService.cs
1 month ago
utneflyte wrote:

Just curious to see if it would be feasible to store the email account password not so plainly? Maybe add a dash of hashing? That would be for the emails listed in /Admin/EmailAccount/List/


It's surprising and concerning that nopCommerce isn't taking precautions to secure passwords stored in the database.   It does so for the Customers table but not the email accounts.  Why not?
1 month ago
Work items were created for this, but they seemed to have been closed as "on hold / maybe wont" - e.g.
https://github.com/nopSolutions/nopCommerce/issues/345

The team does not seem to consider it a big vulnerability, because one would need access to the DB
https://www.nopcommerce.com/en/boards/topic/43865/email-accounts-not-hashing-password

However, they need to consider that many store owners use third party vendors to support them.  (And if the DB is hosted, then the hosting company staff could have access to DB too).