Plaintext passwords and personal info... urk!

NiallT · 30 March 2022 12:07

The SuiteCRM instance I recently inherited is in a very bad state, and I’m not sure whether this is something that can be fixed without a reinstall.

For some reason, user login passwords are stored in plaintext, which I’m really kind of freaking out about in a live system with fairly sensitive data.

I cannot see any option in the Password Management to encrypt the passwords, hence why I’m wondering whether this is an install-time option and necessitates a clean install.

Can I update this without a fresh install?

Also:
Why is this even an option?
Does it indicate that the person who set it up installed it as a dev version?
If so, what other security holes might co-occur that I should be looking out for?

And finally (on a related topic) I’ve seen a lot of discussion about the reintroduction of an encrypted field type on the 7.11 roadmap, and we’re on 7.11.22, but I can’t see anything in the designer to encrypt a field.

As I write it occurs to me what this probably is… is SuiteCRM looking for encryption libraries that were installed on the server external to and prior to SuiteCRM…?
So as this was set up with only SuiteCRM, it’s entirely possible that no encryption is available, and SuiteCRM has just skipped it…?
If so, I assume my predecessor would have received a warning about this at install time that they must have ignored…?

So again, can I fix this live or am I going to have to do a rebuild from ground up…?

pgr · 31 March 2022 09:16

Do you know which version of SuiteCRM (or even SugarCRM) your system started out with?

Anyway, I’ve been with this for many years and I don’t recall any moment when there were passwords stored as text. Where exactly did you find them? I’m suspecting this is some add-on you have, or some custom code.

NiallT · 31 March 2022 11:33

Didn’t think it should have been possible in SuiteCRM.

It would appear it’s the 2FA plugin which was causing me problems in a previous thread.

The column with the unencrypted password is prefixed with “ht_”, which appears to stand for Helfertech (the other 2FA-related columns are all also prefixed ht_)

I’ll bring this up with them.

pgr · 31 March 2022 15:07

A plug-in for added security… that introduces security “terrible-practices”?

NiallT · 1 April 2022 12:55

Absolutely shocking, isn’t it?
The vendor’s response to my bug report…?

We have uploaded a new version 5.2 which stores encrypted passwords instead of plaintext. Please download the latest package from the store.
[Unencrypted passwords | Support | Two-Factor Authentication]

So while it’s great they’ve updated, there’s no way I’m touching that plugin without commissioning a complete professional code audit (that my manager is definitely going to refuse to budget for) as I now have no confidence whatsoever in something that’s got to v5.1 and has a critical security flaw in it.

Besides, we were intending to move to Azure SSO anyway – that’s just jumped instantly to the top of the priority list!!