View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|11848||Feature requests||Security||public||2016-10-31 08:48||2021-07-12 14:10|
|Summary||11848: Saved Surveys - E-Mail Notification Password in Plain Text|
Hi, when a participant saves a survey to finish it later he receives an email with an access url, his user name and password.
I recently had a complain from a customer who thought his password was saved not encrypted since it is was written in plain text in the email and in the url. Of course, afterwards I could ensure him that the PW is saved encrypted but a little damage was already done.
My suggestion: We should add a line to this email, something like this:
This text is just a suggestion but I think you'll get the idea.
Or a different, more secure solution: We could send, instead of the plain text PW in the URL, a hash of the encrypted PW.
The URL could be enough and it is a more secure solution.
All the best, urban-a :)
|Tags||No tags attached.|
Maybe best : add a "saved survey" email template like we do for the other one.
Can not be fixed with a clean plugin actually.
Semi fixed in https://github.com/LimeSurvey/LimeSurvey/pull/1246 (we can update the email body for savesurvey)
|2016-10-31 08:48||urbana||New Issue|
|2016-10-31 22:00||DenisChenu||Note Added: 41627|
|2016-10-31 22:00||DenisChenu||Relationship added||related to 10533|
|2019-03-23 10:30||DenisChenu||Note Added: 51105|
|2021-01-13 08:59||DenisChenu||Relationship added||has duplicate 16666|
|2021-05-10 09:37||c_schmitz||Assigned To||=> c_schmitz|
|2021-05-10 09:37||c_schmitz||Status||new => resolved|
|2021-05-10 09:37||c_schmitz||Resolution||open => fixed|
|2021-05-10 09:37||c_schmitz||Fixed in Version||=> 4.x.x|
|2021-07-12 14:10||c_schmitz||Status||resolved => closed|
|2021-07-12 14:10||c_schmitz||Fixed in Version||4.x.x => 5.x|