Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Bogføring
Lager
PoS
Projekt
MRP

All apps

All Posts People Emblemer

Tags (View all)

odoo accounting v14 pos v15

Om dette forum

Hjælp

Are the Odoo developers promoting insecure by default in their coding practices?

password postgresql open linux odoo odooV8 linu

2 Besvarelser

6557 Visninger

Timo Goosen

Someone filed an issue on github https://github.com/odoo/odoo/issues/1975

which showed that the passwords in Odoo and OpenERP for that matter are not being hashed:

http://php.net/manual/en/faq.passwords.php

"Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords."

More motivation: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/

Just for those who don't know the difference between hashing and encrypting passwords:
http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it

Besides hasing passwords I also think a salt should be added.

Odoo is supposed to be used by businesses. If this is the kind of security that the Odoo developers
are encouraging then they deserve to be dragged to the stake and burned, since they don't seem to care about the security of the businesses
that are going to be using their software.

Ben Bernard

Yes, by default the password is not encrypted. To store password in encrypted text use auth_crypt (or base_crypt for later version). The best practice here is to use the module in production.

But, I agree that by default it should be secure.

Timo Goosen

Forfatter

"The best practice here is to use the module in production."

I can't say that I've seen anyone make this reccomendation in the official documentation.

Most people aren't aware that they should be using this. This should be installed by default or just be part of the base install by default. Security should not be an "optional" thing.

Ben Bernard

Yes, I agree with you. That is just my opinion.

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Tilmeld dig

Related Posts	Besvarelser	Visninger
Does Odoo require a specific version of PostGreSQL? Løst postgresql postgresql9.2 linux odoo odooV8	3 sep. 18	33112
What does this error mean on Odoo? "Could not execute command 'lessc'" Løst webclient ubuntu bug open linux ubuntu12.04 builder website odoo odooV8 linu	22 apr. 23	113621
Restored database module upgrade not working database postgresql odoo odooV8	1 sep. 15	4825
What do I do with the Odoo support contract keys? openerp7 open linux opener odoo	0 mar. 15	4598
Add a button to a ValidationError odoo odooV8	1 nov. 22	4246

Dette spørgsmål er blevet anmeldt

Enjoying the discussion? Don't just read, join in!