therecluse26 / PHP-Login

A login system built with PHP, MySQL, jQuery and Bootstrap
MIT License
836 stars 442 forks source link

Security issue mail password stored in clear text #152

Open streamcoindev opened 6 years ago

streamcoindev commented 6 years ago

Will this be changed in the future ?

therecluse26 commented 6 years ago

I know, I've been kicking around a good way to approach this for a while. Unfortunately I'm not coming up with anything because it's an external server being authenticated against. I can't send a hash over because it would just get re-hashed on the mail server side, so I unfortunately don't see any way to store this that wouldn't involve ultimately decrypting it and sending it as plain text anyway. And if they have access to your database, they'll likely have access to your code base as well to be able to find the hashing key, so yeah. I admit that's not good.

I'm planning on adding additional mail methods in the near future, so hopefully I'll be able to figure out a betters strategy to tackle this problem.