Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

4

Why does OpenERP store passwords in plain text by default

By
IBS
on 3/17/13, 10:30 PM 3,089 views

I would like to hear some input from the Dev team.

Check this: http://help.openerp.com/question/6545/does-openerp-store-passwords-in-clear-text/

Obay Albadri
on 3/18/13, 4:20 AM

Yes I saw, my question is slightly different than that one :)

IBS
on 3/18/13, 7:31 AM

Yes it is, i am waiting for explanation too. :)

Obay Albadri
on 3/18/13, 7:58 AM

For me more crucially, why is communication using xmlrpc and not xmlrpcs by default? The nature of openerp is that it houses businesses core data, it should by nature think of security first. Users passwords are also not checked for complexity, users can happily use passwords123 in openerp, for business use, that's bad.

hiren
on 7/5/13, 12:00 PM
6

Fabien Pinckaers (fp)

--Fabien Pinckaers (fp)--
6598
| 6 8 8
fsdsdfsdf, Belgium
--Fabien Pinckaers (fp)--

Odoo Founder & CEO

Fabien Pinckaers (fp)
On 4/2/13, 5:08 PM

The real reason is historical. We never thought "ok, it's a good idea to not encrypt password by default".

We implemented the plain password XML-RPC auth as it was the fastest implementation back in 2005, when our priority was to deliver our direct implementation customers asap. (and we didn't had extra budget at that time to implement several auth methods).

Since then, we have added encryption as a module "auth_crypt" as well as other authentification mechanisms; ldap, openid, oauth, etc. Every authentification mechanism is implemented by a specific module. We supplied them as optionnal modules so that everyone can choose the one he needs. We did not installed base_crypt by default as it's implementation was not compatible with ldap. (I do not know if it's still the case)

I guess we did not changed the default mode because: 1/ there is always something more important to do (the todo was trapped in the daily flow of things to do), 2/ it would have broken compatibilities for existing customers. 3/ base_crypt was not compatible with auth_ldap (but I think this should be fixed now)

Since the point 2 is not a problem anymore as we have a good migration service now, we should change the default the encrypted password in the next version.

Can anyone propose a merge proposal on the trunk branch to change the default?

Thank you for the thorough explanation.

IBS
on 4/2/13, 7:45 PM
1
Brian Dunnette
On 4/2/13, 12:52 PM

The OpenERP developers have justified the use of plain-text passwords as a password-recovery measure:

"As for the reason for cleartext passwords: once you switch to encrypted passwords you can't recover user passwords anymore. So enabling it is a choice, because there's no going back. We don't currently plan to make passwords encrypted by default."

(from OpenERP bug #738721)

1
Gustavo
On 4/2/13, 5:06 PM

I see the point in the question, IMHO as long as you protect the PostgreSQL database and root users, you are going to be fine from a security standpoint. It's not perfect, but I would enforce security at the server level instead of the appĺication level

0

Francesco OpenCode

--Francesco OpenCode--
3608
| 5 7 9
Grottaglie, Italy
--Francesco OpenCode--

Italian Odoo (OpenERP) Modules Developer LINKEDIN: http://www.linkedin.com/in/francescoapruzzese

Francesco OpenCode
On 4/2/13, 12:53 PM

If you want you can install module auth_crypt (standard OpenERP module) to crypt your passwords but, after this, you can't recovery them. You can choose!

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

1 follower(s)

Stats

Asked: 3/17/13, 10:30 PM
Seen: 3089 times
Last updated: 3/16/15, 8:10 AM