Odoo Help


This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.


Are the Odoo developers promoting insecure by default in their coding practices?

Timo Goosen
on 8/27/14, 5:06 AM 1,446 views

Someone filed an issue on github https://github.com/odoo/odoo/issues/1975

which showed that the passwords in Odoo and OpenERP for that matter are not being hashed:


"Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords."

More motivation: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/

Just for those who don't know the difference between hashing and encrypting passwords:

Besides hasing passwords I also think a salt should be added.

Odoo is supposed to be used by businesses.  If this is the kind of security that the Odoo developers
are encouraging then they deserve to be dragged to the stake and burned, since they don't seem to care about the security of the businesses
that are going to be using their software.



Ben Bernard

--Ben Bernard--
| 4 3 6
Jakarta, Indonesia
--Ben Bernard--
Ben Bernard
On 8/27/14, 5:31 AM

Yes, by default the password is not encrypted. To store password in encrypted text use auth_crypt (or base_crypt for later version). The best practice here is to use the module in production.

But, I agree that by default it should be secure.

Timo Goosen
On 8/27/14, 5:39 AM

"The best practice here is to use the module in production."

I can't say that I've seen anyone make this reccomendation in the official documentation.


Most people aren't aware that they should be using this. This should be installed by default or just be part of the base install by default. Security should not be an "optional" thing.


Yes, I agree with you. That is just my opinion.

Ben Bernard
on 8/27/14, 5:45 AM

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

2 follower(s)


Asked: 8/27/14, 5:06 AM
Seen: 1446 times
Last updated: 3/16/15, 8:10 AM