Someone filed an issue on github https://github.com/odoo/odoo/issues/1975
which showed that the passwords in Odoo and OpenERP for that matter are not being hashed:
"Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords."
More motivation: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/
Just for those who don't know the difference between hashing and encrypting passwords:
Besides hasing passwords I also think a salt should be added.
Odoo is supposed to be used by businesses. If this is the kind of security that the Odoo developers
are encouraging then they deserve to be dragged to the stake and burned, since they don't seem to care about the security of the businesses
that are going to be using their software.
"The best practice here is to use the module in production."
I can't say that I've seen anyone make this reccomendation in the official documentation.
Most people aren't aware that they should be using this. This should be installed by default or just be part of the base install by default. Security should not be an "optional" thing.
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 8/27/14, 5:06 AM|
|Seen: 1446 times|
|Last updated: 3/16/15, 8:10 AM|