The mechanism for the synchronization of customer accounts has some design flaws. Because both systems have partially different password encryption methods, they are also two equivalent sources, against which must be authenticated. Thus, passwords should be synchronized only, when an account is created or when a password is changed by a user. In the worst case, if such a plain text synchronisation was not possible before an authentication has been performed (e. g. by an import), it would be neccessary to check both systems as long as the user or the administrator doesn't change the password.
The mechanism for the synchronization of customer accounts has some design flaws. Because both systems have partially different password encryption methods, they are also two equivalent sources, against which must be authenticated. Thus, passwords should be synchronized only, when an account is created or when a password is changed by a user. In the worst case, if such a plain text synchronisation was not possible before an authentication has been performed (e. g. by an import), it would be neccessary to check both systems as long as the user or the administrator doesn't change the password.