svenerbeck
commented
7 months ago You're absolutely right, and the security of user credentials is a matter we take very seriously. Storing passwords in plaintext, even within a config.json file, poses a significant security risk. It's essential to ensure that passwords are not easily accessible in the event of unauthorized access to the configuration files.
The recommended approach is to store passwords using a hashed and salted method. This means that the password is processed through a cryptographic hash function, and 'salt' is added to it — a random string that makes the hash output unique. When a user logs in, the password they enter is hashed with the same salt and then compared to the stored hash. This way, even if the config.json file is compromised, the actual passwords are not exposed.
We are working on updating our system to incorporate these security enhancements. It's part of our ongoing commitment to provide not only a functional and user-friendly experience but also a secure one.
Thank you for highlighting this critical aspect of our system's security. We appreciate your vigilance and support in helping us improve.
Currently passwords are stored as plaintext in config.json which is handy if you forget your passwords but also, if you forgot the password of some other instance.
It's preferable to store passwords in a hashed (potentially also salted) way and compare the hashes instead of the plain passwords to prevent any damage.