View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|11848||Feature requests||Security||public||2016-10-31 08:48||2021-05-10 09:37|
|Fixed in Version||4.x.x|
|Summary||11848: Saved Surveys - E-Mail Notification Password in Plain Text|
|Description||Hi, when a participant saves a survey to finish it later he receives an email with an access url, his user name and password.|
I recently had a complain from a customer who thought his password was saved not encrypted since it is was written in plain text in the email and in the url. Of course, afterwards I could ensure him that the PW is saved encrypted but a little damage was already done.
My suggestion: We should add a line to this email, something like this:
We saved your chosen password encrypted to ensure your security. For your convenience it is here shown in plain text. Please remember your password or save this email. Since it is saved encrypted we can not restore your password when you forget it.
This text is just a suggestion but I think you'll get the idea.
Or a different, more secure solution: We could send, instead of the plain text PW in the URL, a hash of the encrypted PW.
And in the meantime don't send the PW at all in the email text.
The URL could be enough and it is a more secure solution.
All the best, urban-a :)
|Tags||No tags attached.|
Maybe best : add a "saved survey" email template like we do for the other one.
Can not be fixed with a clean plugin actually.
|Semi fixed in https://github.com/LimeSurvey/LimeSurvey/pull/1246 (we can update the email body for savesurvey)|
|2016-10-31 08:48||urbana||New Issue|
|2016-10-31 22:00||DenisChenu||Note Added: 41627|
|2016-10-31 22:00||DenisChenu||Relationship added||related to 10533|
|2019-03-23 10:30||DenisChenu||Note Added: 51105|
|2021-01-13 08:59||DenisChenu||Relationship added||has duplicate 16666|
|2021-05-10 09:37||c_schmitz||Assigned To||=> c_schmitz|
|2021-05-10 09:37||c_schmitz||Status||new => resolved|
|2021-05-10 09:37||c_schmitz||Resolution||open => fixed|
|2021-05-10 09:37||c_schmitz||Fixed in Version||=> 4.x.x|