Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

Müşteri İlişkileri Yönetimi
e-Commerce
Muhasebe
Envanter
PoS
Proje Yönetimi
MRP

All apps

All Posts People Badges

Etiketler (View all)

odoo accounting v14 pos v15

About this forum

Yardım

Are the Odoo developers promoting insecure by default in their coding practices?

password postgresql open linux odoo odooV8 linu

2 Cevaplar

6627 Görünümler

Timo Goosen

Someone filed an issue on github https://github.com/odoo/odoo/issues/1975

which showed that the passwords in Odoo and OpenERP for that matter are not being hashed:

http://php.net/manual/en/faq.passwords.php

"Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords."

More motivation: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/

Just for those who don't know the difference between hashing and encrypting passwords:
http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it

Besides hasing passwords I also think a salt should be added.

Odoo is supposed to be used by businesses. If this is the kind of security that the Odoo developers
are encouraging then they deserve to be dragged to the stake and burned, since they don't seem to care about the security of the businesses
that are going to be using their software.

Ben Bernard

Yes, by default the password is not encrypted. To store password in encrypted text use auth_crypt (or base_crypt for later version). The best practice here is to use the module in production.

But, I agree that by default it should be secure.

Timo Goosen

Üretici

"The best practice here is to use the module in production."

I can't say that I've seen anyone make this reccomendation in the official documentation.

Most people aren't aware that they should be using this. This should be installed by default or just be part of the base install by default. Security should not be an "optional" thing.

Ben Bernard

Yes, I agree with you. That is just my opinion.

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Üye Ol

İlgili Gönderiler	Cevaplar	Görünümler
Does Odoo require a specific version of PostGreSQL? Çözüldü postgresql postgresql9.2 linux odoo odooV8	3 Eyl 18	33225
What does this error mean on Odoo? "Could not execute command 'lessc'" Çözüldü webclient ubuntu bug open linux ubuntu12.04 builder website odoo odooV8 linu	22 Nis 23	113724
Restored database module upgrade not working database postgresql odoo odooV8	1 Eyl 15	4876
What do I do with the Odoo support contract keys? openerp7 open linux opener odoo	0 Mar 15	4646
Add a button to a ValidationError odoo odooV8	1 Kas 22	4317

Bu soru işaretlendi

Enjoying the discussion? Don't just read, join in!