Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

8

Does OpenERP store passwords in clear text?!!! [Closed]

By
Obay Albadri
on 3/17/13, 10:28 AM 5,371 views

The Question has been closed

by
Obay Albadri
on 06/24/2013 06:54:05

I opened the database and i found that user's passwords stored as it was provided in UI (in clear text), am i missing something?, is there is any configurations that i missed?!, or really openERP stores passwords like that?

As i know that in term of security it is a very bad practice to store passwords without strong hashing (SHA-256+) and salting!

6
sulzi
On 3/17/13, 11:44 AM

yes by default it does, you can change this behavior if you install the module auth_crypt.

This is crazy, By default the passwords should NEVER EVER EVER be in clear text... This is a serious problem. - The default should be some sort of encryption...

Gratis Inc.
on 3/17/13, 11:53 PM

This is really strange!, this is a really serious issue, i hope i can find explanations from developers team, why hashing is not the default?!!

Obay Albadri
on 3/18/13, 5:57 AM

From Module page :"This module is currently not compatible with the user_ldap module and will disable LDAP authentication completely if installed at the same time"

Obay Albadri
on 3/18/13, 6:00 AM
2

Daniel Reis

--Daniel Reis--
3436
| 6 7 9
Lisbon, Portugal
--Daniel Reis--

Author of the "Odoo Development Essentials" book.

Applications Manager at Securitas Portugal

Github: https://github.com/dreispt

Twitter; @reis_pt


Daniel Reis
On 3/18/13, 10:20 AM

Well, actually that's a feature, so that it's possible to recover lost passwords.

As for the reason for cleartext passwords: once you switch to encrypted passwords you can't recover user passwords anymore . So enabling it is a choice, because there's no going back. We don't currently plan to make passwords encrypted by default.

See the full discussion on the "base_crypt and users_ldap don't work together" bug report.

EDIT: the above presents publicly available points of view from OpenERP SA people, and does not reflect any personal opinion on the subject.

Maybe it's just me but the reasoning is quite moot. Since the user accounts are managed by an administrator, why not just inform the administrator to reset the password? This "password-is-stored as-plaintext" default is very prone to abuse since many users will use the same passwords used in their personal email and other accounts (no matter how we advise them against it). Some programmers or advanced users will now have a way to open the personal email accounts of most openerp users on their company.

Abner Galeno Jr.
on 3/18/13, 12:29 PM

I totally agree with Abner Galeno Jr, that doesn't make sense, and it seems to be very var away from standard Authentication mechanisms' recommendations, if my database exposed by some attack then i am giving the attacker a plain text passwords, and he haven't to use any extra techniques . (like rainbow tables ) to use this passwords for further attacks, so it is against Defense in Depth principle.

Obay Albadri
on 3/20/13, 5:57 AM

You can join the discussion in the bug report, and present your point there. Maybe OpenERP SA changes their mind on this.

Daniel Reis
on 3/20/13, 6:09 AM

I have to mention that Broken Authentication jumped from #5 to #2 in OWASP Top10 most critical application security risks in 2013 RC.[https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents]

Obay Albadri
on 3/20/13, 6:15 AM

ERP software is such a complex beast requiring so much customization and preparation that it precludes use by novice users. Since by its nature it requires you to review and configure almost all aspects of its operation adding password protection policies to the list of things to review/configure is not that big of a burden. In fact, it could be argued that it is a decision best left to the admin, and not to OpenERP SA. On the other hand, plain text passwords make development and testing so much easier.

Mike Telahun
on 3/20/13, 6:27 AM

Also, not all password encryption mechanisms are created equal. For example, simple hash+salt schemes are not as secure as they used to be with the advent of GPU based password crackers. So, having no encryption is better than having a (possibly) insecure password encryption mechanism that gives the admin a false sense of security.

Mike Telahun
on 3/20/13, 6:38 AM

@Mike, Admins here have no chance to choose between encryption and clear text passwords, yes they can but their policies, but they relay on the infra of the software. secondly "plain text passwords make development and testing so much easier." sure... but we are talking about production, Finally about " false sense of security" we can make a very long talk about that, simply there is no 100% security, Security is all about possibilities, -I just hope we can make this thing better :)

Obay Albadri
on 3/20/13, 6:53 AM

@Mike It's a really good point that admins can install the encryption module anyway, if they really want to..... but OpenERP is easily installed by non-admins now too...... Also, why would programmers spend much time debugging the log-in page? But, I know many hardcore programmers that don't care much about encryption, maybe they have their reasons (thoughthey don't tell us) but I'm pretty sure they don't rationalize their choice either..

Abner Galeno Jr.
on 3/20/13, 11:55 AM

@Mike: If you are going to a war, you would prefer not wearing helmet and kevlar just because you still have a chance to be shot and die from blood loss and etc, anyway? I don't get that logic. Also as stated by epixoip near the bottom of the page http://hackaday.com/2012/12/06/25-gpus-brute-force-348-billion-hashes-per-second-to-crack-your-passwords/, there are algorithms that are designed for password storage such PBKDF2. They are designed to waste cpu or gpu time. PBKDF2 is even used by Truecrypt and it was designed to adapt to increasing computing speed..

Abner Galeno Jr.
on 3/20/13, 12:11 PM

I'm not arguing that plain-text passwords are OK. They aren't. It's the first thing you should configure when setting up a production server. But what I am saying is that it's not as scandalous as some on this thread make it out to be. There is so much that needs to be configured that setting up encrypted passwords is probably the least difficult thing someone can do in OpenERP. And no, even with version 7.0, a novice cannot setup a non-trivial production server of OpenERP.

Mike Telahun
on 3/20/13, 12:50 PM
2

Francesco OpenCode

--Francesco OpenCode--
3608
| 5 7 9
Grottaglie, Italy
--Francesco OpenCode--

Italian Odoo (OpenERP) Modules Developer LINKEDIN: http://www.linkedin.com/in/francescoapruzzese

Francesco OpenCode
On 3/20/13, 6:33 AM

If someone, without your permission, can read your postgresql database, your last problem is the encryption of passwords ;)

I disagree with that, in security we are dealing with possibilities, for example think of this "users will use the same passwords used in their personal email and other accounts (no matter how we advise them against it)" -@Abner

Obay Albadri
on 3/20/13, 6:57 AM

The openerp password are created by admin. I think it is difficult passowrd are egual to user's personal password.

Francesco OpenCode
on 3/20/13, 11:28 AM

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

1 follower(s)

Stats

Asked: 3/17/13, 10:28 AM
Seen: 5371 times
Last updated: 3/16/15, 8:10 AM