https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292014-09-10T11:50:39ZRedmineRedmine - Defect #17830: User creation: clear/plaintext password sent via unencrypted emailhttps://www.redmine.org/issues/17830?journal_id=585462014-09-10T11:50:39ZJean-Baptiste Barth
<ul><li><strong>Assignee</strong> set to <i>Jean-Baptiste Barth</i></li><li><strong>Target version</strong> set to <i>Candidate for next major release</i></li></ul><p>Taking it as salvor == me :) Any comment welcome.</p> Redmine - Defect #17830: User creation: clear/plaintext password sent via unencrypted emailhttps://www.redmine.org/issues/17830?journal_id=587692014-09-19T22:06:16ZMichael Weinberg
<ul></ul><p>More problems- I'm running v 2.5.2:<br />1. There is a checkbox ("Send account information to the user") that is checked by default and unchecking it doesn't stick.</p>
<p>2. I changed my password for an existing account and it send it plain text.</p>
<p>3. There is no indication that "account information" contains the plain text password. At the very minimum, any password sent via plain text should be assumed compromised- The user should be required to change the password if they ever get a password in plain text.</p> Redmine - Defect #17830: User creation: clear/plaintext password sent via unencrypted emailhttps://www.redmine.org/issues/17830?journal_id=996032020-11-01T13:51:02ZMichael Gerz
<ul></ul><p>Does this security issue still exist after so many years?</p> Redmine - Defect #17830: User creation: clear/plaintext password sent via unencrypted emailhttps://www.redmine.org/issues/17830?journal_id=1098942023-05-03T09:41:49ZHendrik Jaeger
<ul></ul><p>I just registered a new account here on redmine.org and only received the registration link.<br />When I reported this, it was version 1.4.4, it seems, now we are at major version 4/5.</p>
<p>It seems like at least part of this issue is fixed.<br /><a class="user active" href="https://www.redmine.org/users/1188">Jean-Baptiste Barth</a> can you provide a more complete and/or accurate update?</p> Redmine - Defect #17830: User creation: clear/plaintext password sent via unencrypted emailhttps://www.redmine.org/issues/17830?journal_id=1099092023-05-04T00:39:58ZGo MAEDA
<ul></ul><p>Hendrik Jaeger wrote in <a href="#note-4">#note-4</a>:</p>
<blockquote>
<p>I just registered a new account here on redmine.org and only received the registration link.<br />When I reported this, it was version 1.4.4, it seems, now we are at major version 4/5.</p>
<p>It seems like at least part of this issue is fixed.</p>
</blockquote>
<p>No, it is not yet fixed. Even in Redmine 5.0, a password will be sent in plain text if an administrator checks the checkbox named "Send account information to the user" when creating a user.</p> Redmine - Defect #17830: User creation: clear/plaintext password sent via unencrypted emailhttps://www.redmine.org/issues/17830?journal_id=1099152023-05-04T14:43:50ZHolger Just
<ul></ul><p>It may be a good idea to force users to change the password on first login if the password was sent to the user. Then, the initial password is effectively a token which allows the user to login once.</p>
<p>This could be enforced by setting the <code>must_change_password</code> flag on the user (and thus implicitly enable the respective checkbox on the <code>users/new.html.erb</code> form) if account details are sent to the user. This could be added in the <code>UsersController</code>. We also might add some documentation to explain what this does and note that the email will include the generated or set password.</p>
<p>Hendrik Jaeger wrote in <a href="#note-4">#note-4</a>:</p>
<blockquote>
<p>I just registered a new account here on redmine.org and only received the registration link.<br />When I reported this, it was version 1.4.4, it seems, now we are at major version 4/5.</p>
<p>It seems like at least part of this issue is fixed.</p>
</blockquote>
<p>As far as I understand the old code, in Redmine < 3.4 we have indeed checked the "Send account information to the user" checkbox by default. Unless the administrator has actively unchecked the checkbox each time, the password of the new user would indeed be sent via plaintext mail by default. I believe this was incidentally changed in <a class="changeset" title="Send email even if password is not changed (#7577)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/16453">r16453</a> so that this checkbox is not checked by default.</p>
<p>In any case, as far as I'm aware, when self-registering, we have never sent the self-selected password via mail. This was (and still is) only used as a way to sent the newly created user a means to login if this new user was created by an admin.</p>