View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 262
IDProjectCategoryView StatusDate SubmittedLast Update
11848Feature requestsSecuritypublic2016-10-31 08:482021-07-12 14:10
Reporterurbana Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status closedResolutionfixed 
Fixed in Version5.x 
Summary11848: Saved Surveys - E-Mail Notification Password in Plain Text
Description

Hi, when a participant saves a survey to finish it later he receives an email with an access url, his user name and password.

I recently had a complain from a customer who thought his password was saved not encrypted since it is was written in plain text in the email and in the url. Of course, afterwards I could ensure him that the PW is saved encrypted but a little damage was already done.

My suggestion: We should add a line to this email, something like this:
We saved your chosen password encrypted to ensure your security. For your convenience it is here shown in plain text. Please remember your password or save this email. Since it is saved encrypted we can not restore your password when you forget it.

This text is just a suggestion but I think you'll get the idea.

Or a different, more secure solution: We could send, instead of the plain text PW in the URL, a hash of the encrypted PW.
And in the meantime don't send the PW at all in the email text.

The URL could be enough and it is a more secure solution.

All the best, urban-a :)

TagsNo tags attached.
Bug heat262
Story point estimate
Users affected %

Relationships

Relationship GraphDependency Graph
related to 10533 closedDenisChenu Feature requests Global beforeSendEmail event 
has duplicate 16666 closedc_schmitz Bug reports Registration (continue later): Bounced E-Mail with visible password 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2016-10-31 22:00

developer   ~41627

Maybe best : add a "saved survey" email template like we do for the other one.

Can not be fixed with a clean plugin actually.
DenisChenu

DenisChenu

2019-03-23 10:30

developer   ~51105

Semi fixed in https://github.com/LimeSurvey/LimeSurvey/pull/1246 (we can update the email body for savesurvey)

Issue History

Date Modified Username Field Change
2016-10-31 08:48 urbana New Issue
2016-10-31 22:00 DenisChenu Note Added: 41627
2016-10-31 22:00 DenisChenu Relationship added related to 10533
2019-03-23 10:30 DenisChenu Note Added: 51105
2021-01-13 08:59 DenisChenu Relationship added has duplicate 16666
2021-05-10 09:37 c_schmitz Assigned To => c_schmitz
2021-05-10 09:37 c_schmitz Status new => resolved
2021-05-10 09:37 c_schmitz Resolution open => fixed
2021-05-10 09:37 c_schmitz Fixed in Version => 4.x.x
2021-07-12 14:10 c_schmitz Status resolved => closed
2021-07-12 14:10 c_schmitz Fixed in Version 4.x.x => 5.x