Open jmhauer opened 4 years ago
This is an issue with upstream, recommend you change PASSWORD_HASH
manually from Auto to something of your liking.
I changed it. But I think for better security there should be no way, that the password is stored in plain text if it is not explicitly requested. Could be a security issue for someone who don't think about this behavior and PASSWORD_HASH is set to auto.
I'll add a warning in upcoming release when someone has the var set to auto.
The option PASSWORD_HASH=auto stores the password in clear text if no password is set before, because there is no Hash mechanism used if no password exists. I think it would be a better way to use a standard Hash mechanism like SHA instead of using clear text. So the password is hashed, even if no password exists before.