Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Бухоблік
Склад
PoS
Проект
MRP

All apps

All Posts Люди Значки

Мітки (View all)

odoo accounting v14 pos v15

Про цей форум

Допомога

Are the Odoo developers promoting insecure by default in their coding practices?

password postgresql open linux odoo odooV8 linu

2 Відповіді

6618 Переглядів

Timo Goosen

Someone filed an issue on github https://github.com/odoo/odoo/issues/1975

which showed that the passwords in Odoo and OpenERP for that matter are not being hashed:

http://php.net/manual/en/faq.passwords.php

"Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords."

More motivation: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/

Just for those who don't know the difference between hashing and encrypting passwords:
http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it

Besides hasing passwords I also think a salt should be added.

Odoo is supposed to be used by businesses. If this is the kind of security that the Odoo developers
are encouraging then they deserve to be dragged to the stake and burned, since they don't seem to care about the security of the businesses
that are going to be using their software.

Ben Bernard

Yes, by default the password is not encrypted. To store password in encrypted text use auth_crypt (or base_crypt for later version). The best practice here is to use the module in production.

But, I agree that by default it should be secure.

Timo Goosen

Автор

"The best practice here is to use the module in production."

I can't say that I've seen anyone make this reccomendation in the official documentation.

Most people aren't aware that they should be using this. This should be installed by default or just be part of the base install by default. Security should not be an "optional" thing.

Ben Bernard

Yes, I agree with you. That is just my opinion.

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Реєстрація

Related Posts	Відповіді	Переглядів
Does Odoo require a specific version of PostGreSQL? Вирішено postgresql postgresql9.2 linux odoo odooV8	3 вер. 18	33205
What does this error mean on Odoo? "Could not execute command 'lessc'" Вирішено webclient ubuntu bug open linux ubuntu12.04 builder website odoo odooV8 linu	22 квіт. 23	113710
Restored database module upgrade not working database postgresql odoo odooV8	1 вер. 15	4868
What do I do with the Odoo support contract keys? openerp7 open linux opener odoo	0 бер. 15	4642
Add a button to a ValidationError odoo odooV8	1 лист. 22	4304

Це запитання позначене

Enjoying the discussion? Don't just read, join in!