https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292013-02-17T21:27:19ZRedmineRedmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=458172013-02-17T21:27:19ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li></ul><p>AFAIK, it's only when an admin changes a user's password that it can be sent by email. Could you give the steps to reproduce your issue?</p> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=458832013-02-19T01:48:22ZToshi MARUYAMA
<ul><li><strong>Tracker</strong> changed from <i>Patch</i> to <i>Defect</i></li></ul> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=459352013-02-20T21:11:09ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Resolution</strong> set to <i>Cant reproduce</i></li></ul> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=461702013-02-27T14:47:30ZMartin Eberle
<ul></ul><p>Jean-Philippe Lang wrote:</p>
<blockquote>
<p>AFAIK, it's only when an admin changes a user's password that it can be sent by email. Could you give the steps to reproduce your issue?</p>
</blockquote>
<p>I just tried to reproduce it but i wasn’t successful. I think it happens during the installation of Redmine when the admin sets up his account. In this case the self set password is sent via email.</p> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=630112015-04-12T01:00:38ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>Since nobody can reproduce it, I am closing this issue.</p> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=676822015-12-06T11:11:51Zint redmine
<ul></ul><p>I can reproduce this on redmine 3.1.3.<br />It is as the original issue opener said:<br />When the registration process is set to manual account activation, the new user gets automatically an email with his (self set) username and password in plain text.</p>
<p>This happens when the admin activates the account. In this case it is not necessary since the user knows the password anyway, because it was set by himself.<br />It also happens when a users password is overwritten by admin with a new password.<br />In this case it would be good to have a option change that behaviour. Sending of plain text password should be disabled by default and only be done if admin enables this feature.</p>
<p>Please reopen this issue.</p> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=676942015-12-06T15:57:49ZJan from Planio www.plan.io
<ul><li><strong>File</strong> <a href="/attachments/14791">send_account_info.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/14791/send_account_info.png">send_account_info.png</a> added</li></ul><p>I have just revisited this issue due to <a href="https://twitter.com/martineberle/status/673475436626771968" class="external">a tweet</a>. I am not able to reproduce it either.</p>
<p>Martin Eberle wrote:</p>
<blockquote>
<p>When the registration process is set to manual account activation, the new user gets automatically an email with his (self set) username and password in plain text.</p>
</blockquote>
<p>This does not seem to be the case. I've now tested this and revisited the code again. The password entered during manual registration is <strong>not</strong> sent when a users registers for a new account.</p>
<p>int redmine wrote:</p>
<blockquote>
<p>This happens when the admin activates the account. In this case it is not necessary since the user knows the password anyway, because it was set by himself.</p>
</blockquote>
<p>This is technically not possible. The plain text password is only kept in memory during the <code>Account#register</code> request and never gets stored in the database. Since passwords are <a href="https://en.wikipedia.org/wiki/Hash_function" class="external">hashed</a>, there is no way to compute a plain text password from its stored hash. Therefore, during activation by an admin, the plain text is not available anymore and cannot possibly be sent via email.</p>
<p>int redmine wrote:</p>
<blockquote>
<p>It also happens when a users password is overwritten by admin with a new password.</p>
</blockquote>
<p>This particular aspect is correct and intended behavior. If the admin sets a new password, there should be a way to tell that new password to the user.</p>
<p>int redmine wrote:</p>
<blockquote>
<p>In this case it would be good to have a option change that behaviour. Sending of plain text password should be disabled by default and only be done if admin enables this feature.</p>
</blockquote>
<p>There is an option for the admin already to select whether or not the account information (including password) should be sent or not. There is also an option to require the user to change the (insecurely transmitted) password at her first login – see screenshot.</p>
<p><a class="thumbnail" title="send_account_info.png" href="https://www.redmine.org/attachments/14791"><img alt="send_account_info.png" src="https://www.redmine.org/attachments/thumbnail/14791/419" /></a></p>
<p>Please clarify how you were able to reproduce this. Otherwise, I don't think we should reopen this issue.</p> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=676972015-12-06T16:28:50ZJan from Planio www.plan.io
<ul></ul><p>Martin Eberle wrote:</p>
<blockquote>
<p>Jean-Philippe Lang wrote:</p>
<blockquote>
<p>AFAIK, it's only when an admin changes a user's password that it can be sent by email. Could you give the steps to reproduce your issue?</p>
</blockquote>
<p>I just tried to reproduce it but i wasn’t successful. I think it happens during the installation of Redmine when the admin sets up his account. In this case the self set password is sent via email.</p>
</blockquote>
<p>Aha! The problem you describe here is actually quite different from your initial description in this issue, but it's still a valid (albeit much less severe) concern. I've opened <a class="issue tracker-3 status-5 priority-4 priority-default closed" title="Patch: Prevent admins from sending themselves their own password (Closed)" href="https://www.redmine.org/issues/21436">#21436</a> for it and proposed a patch. Thanks!</p> Redmine - Defect #13197: Don't send password in plain text via email after registrationhttps://www.redmine.org/issues/13197?journal_id=676982015-12-06T16:34:33ZJan from Planio www.plan.io
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/21436">Patch #21436</a>: Prevent admins from sending themselves their own password</i> added</li></ul>