Are the Odoo developers promoting insecure by default in their coding practices?

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Contabilità
Magazzino
PoS
Project
MRP

All apps

Tutti gli articoli Persone Badge

Etichette (Mostra tutto)

odoo accounting v14 pos v15

Sul forum

Assistenza

Are the Odoo developers promoting insecure by default in their coding practices?

password postgresql open linux odoo odooV8 linu

2 Risposte

5652 Visualizzazioni

Timo Goosen

Someone filed an issue on github https://github.com/odoo/odoo/issues/1975

which showed that the passwords in Odoo and OpenERP for that matter are not being hashed:

http://php.net/manual/en/faq.passwords.php

"Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords."

More motivation: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/

Just for those who don't know the difference between hashing and encrypting passwords:
http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it

Besides hasing passwords I also think a salt should be added.

Odoo is supposed to be used by businesses. If this is the kind of security that the Odoo developers
are encouraging then they deserve to be dragged to the stake and burned, since they don't seem to care about the security of the businesses
that are going to be using their software.

Ben Bernard

Yes, by default the password is not encrypted. To store password in encrypted text use auth_crypt (or base_crypt for later version). The best practice here is to use the module in production.

But, I agree that by default it should be secure.

Timo Goosen

Autore

"The best practice here is to use the module in production."

I can't say that I've seen anyone make this reccomendation in the official documentation.

Most people aren't aware that they should be using this. This should be installed by default or just be part of the base install by default. Security should not be an "optional" thing.

Ben Bernard

Yes, I agree with you. That is just my opinion.

Ti stai godendo la conversazione? Non leggere soltanto, partecipa anche tu!

Crea un account oggi per scoprire funzionalità esclusive ed entrare a far parte della nostra fantastica community!

Registrati

Post correlati	Risposte	Visualizzazioni
Does Odoo require a specific version of PostGreSQL? Risolto postgresql postgresql9.2 linux odoo odooV8	3 set 18	31175
What does this error mean on Odoo? "Could not execute command 'lessc'" Risolto webclient ubuntu bug open linux ubuntu12.04 builder website odoo odooV8 linu	22 apr 23	112082
Restored database module upgrade not working database postgresql odoo odooV8	1 set 15	4065
What do I do with the Odoo support contract keys? openerp7 open linux opener odoo	0 mar 15	4025
Add a button to a ValidationError odoo odooV8	1 nov 22	3460

La domanda è stata contrassegnata

Ti stai godendo la conversazione? Non leggere soltanto, partecipa anche tu!