Odoo Help

8
3 Answers
6
sulzi
3/17/13, 11:44 AM

yes by default it does, you can change this behavior if you install the module auth_crypt.

3 Comments
Gratis Inc.
3/17/13, 11:53 PM

This is crazy, By default the passwords should NEVER EVER EVER be in clear text... This is a serious problem. - The default should be some sort of encryption...

Obay Albadri
3/18/13, 5:57 AM

This is really strange!, this is a really serious issue, i hope i can find explanations from developers team, why hashing is not the default?!!

Obay Albadri
3/18/13, 6:00 AM

From Module page :"This module is currently not compatible with the user_ldap module and will disable LDAP authentication completely if installed at the same time"

2
Avatar

Daniel Reis

--Daniel Reis--
3661
| 7 8 9
Linda-a-Velha, Portugal
--Daniel Reis--

Author of the "Odoo Development Essentials" book.

Applications Manager at Securitas Portugal

Github: https://github.com/dreispt

Twitter; @reis_pt


Daniel Reis
3/18/13, 10:20 AM

Well, actually that's a feature, so that it's possible to recover lost passwords.

As for the reason for cleartext passwords: once you switch to encrypted passwords you can't recover user passwords anymore . So enabling it is a choice, because there's no going back. We don't currently plan to make passwords encrypted by default.

See the full discussion on the "base_crypt and users_ldap don't work together" bug report.

EDIT: the above presents publicly available points of view from OpenERP SA people, and does not reflect any personal opinion on the subject.

10 Comments
Abner Galeno Jr.
3/18/13, 12:29 PM

Maybe it's just me but the reasoning is quite moot. Since the user accounts are managed by an administrator, why not just inform the administrator to reset the password? This "password-is-stored as-plaintext" default is very prone to abuse since many users will use the same passwords used in their personal email and other accounts (no matter how we advise them against it). Some programmers or advanced users will now have a way to open the personal email accounts of most openerp users on their company.

Obay Albadri
3/20/13, 5:57 AM

I totally agree with Abner Galeno Jr, that doesn't make sense, and it seems to be very var away from standard Authentication mechanisms' recommendations, if my database exposed by some attack then i am giving the attacker a plain text passwords, and he haven't to use any extra techniques . (like rainbow tables ) to use this passwords for further attacks, so it is against Defense in Depth principle.

Daniel Reis
3/20/13, 6:09 AM

You can join the discussion in the bug report, and present your point there. Maybe OpenERP SA changes their mind on this.

Obay Albadri
3/20/13, 6:15 AM

I have to mention that Broken Authentication jumped from #5 to #2 in OWASP Top10 most critical application security risks in 2013 RC.[https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents]

Mike Telahun
3/20/13, 6:27 AM

ERP software is such a complex beast requiring so much customization and preparation that it precludes use by novice users. Since by its nature it requires you to review and configure almost all aspects of its operation adding password protection policies to the list of things to review/configure is not that big of a burden. In fact, it could be argued that it is a decision best left to the admin, and not to OpenERP SA. On the other hand, plain text passwords make development and testing so much easier.

Mike Telahun
3/20/13, 6:38 AM

Also, not all password encryption mechanisms are created equal. For example, simple hash+salt schemes are not as secure as they used to be with the advent of GPU based password crackers. So, having no encryption is better than having a (possibly) insecure password encryption mechanism that gives the admin a false sense of security.

Obay Albadri
3/20/13, 6:53 AM

@Mike, Admins here have no chance to choose between encryption and clear text passwords, yes they can but their policies, but they relay on the infra of the software. secondly "plain text passwords make development and testing so much easier." sure... but we are talking about production, Finally about " false sense of security" we can make a very long talk about that, simply there is no 100% security, Security is all about possibilities, -I just hope we can make this thing better :)

Abner Galeno Jr.
3/20/13, 11:55 AM

@Mike It's a really good point that admins can install the encryption module anyway, if they really want to..... but OpenERP is easily installed by non-admins now too...... Also, why would programmers spend much time debugging the log-in page? But, I know many hardcore programmers that don't care much about encryption, maybe they have their reasons (thoughthey don't tell us) but I'm pretty sure they don't rationalize their choice either..

Abner Galeno Jr.
3/20/13, 12:11 PM

@Mike: If you are going to a war, you would prefer not wearing helmet and kevlar just because you still have a chance to be shot and die from blood loss and etc, anyway? I don't get that logic. Also as stated by epixoip near the bottom of the page http://hackaday.com/2012/12/06/25-gpus-brute-force-348-billion-hashes-per-second-to-crack-your-passwords/, there are algorithms that are designed for password storage such PBKDF2. They are designed to waste cpu or gpu time. PBKDF2 is even used by Truecrypt and it was designed to adapt to increasing computing speed..

Mike Telahun
3/20/13, 12:50 PM

I'm not arguing that plain-text passwords are OK. They aren't. It's the first thing you should configure when setting up a production server. But what I am saying is that it's not as scandalous as some on this thread make it out to be. There is so much that needs to be configured that setting up encrypted passwords is probably the least difficult thing someone can do in OpenERP. And no, even with version 7.0, a novice cannot setup a non-trivial production server of OpenERP.

2
Avatar

Francesco OpenCode

--Francesco OpenCode--

3859
| 6 8 9
Grottaglie, Italy
--Francesco OpenCode--

Italian Odoo (OpenERP) Modules Developer LINKEDIN: http://www.linkedin.com/in/francescoapruzzese

Francesco OpenCode
3/20/13, 6:33 AM

If someone, without your permission, can read your postgresql database, your last problem is the encryption of passwords ;)

2 Comments
Obay Albadri
3/20/13, 6:57 AM

I disagree with that, in security we are dealing with possibilities, for example think of this "users will use the same passwords used in their personal email and other accounts (no matter how we advise them against it)" -@Abner

Francesco OpenCode
3/20/13, 11:28 AM

The openerp password are created by admin. I think it is difficult passowrd are egual to user's personal password.

Ask a Question
Writer
About This Community

This platform is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

Register
Odoo Training Center

Access to our E-learning platform and experience all Odoo Apps through learning videos, exercises and Quizz.

Test it now