Author Topic: Passwords for payment processors not masked (Read 1862 times)

lentilsoup · December 03, 2009, 12:58:27 pm

When setting up a new payment processor, (civicrm/admin/paymentProcessor), shouldn't the password be masked (i.e. use <input type="password" /> instead of <input type="text" />)?

I couldn't find any issues filed in the tracker about this -- I'll open one if this is considered a valid concern.

Dave Greenberg · December 03, 2009, 04:55:14 pm

Since this is an infrequently used admin-only form, AND processor passwords are often quite complex, AND debugging problems based on incorrect password input could potentially be a nightmare - I'm not convinced that this is a good idea.

You might be able to use the smarty plugin crmReplace in your template to change the input type from "text" to "password".

Of course, if we get a lot of folks agreeing that this field SHOULD be masked, I'm open to thinking differently about this :-)

rchapman · March 03, 2010, 12:10:36 pm

We plan on using this feature on our site, but now we cannot due to the fact that the API cannot be securely input by our IT group. This would be a useful feature to not have to add plugins to mask a secure number.

jamie · June 21, 2013, 11:07:57 am

I realize that I'm picking up on a an old threat... but we've experienced this problem too.

I don't think masking using the password input type is the right answer, both for the reasons Dave gives and because anyone with the right browser plugin can unmask these passwords.

I think a better option would be to define a privilege called Administer Payment Processors, so we can give people admin access without giving them access to this piece of sensitive data.

What do you think?

xavier · June 21, 2013, 11:20:47 am

Hi,

I think that storing password in clear is a security issue but that we can't avoid it (for pp that have the dumb idea of requesting a password instead of a token that you can revoque for instance).

As long as it's stored in clear, it's insecure, don't think a different permission is going to genuinely help. On the other hand, homeopathic security doesn't hurt either so if you think it does, might a least stop the most trivial attacks.

X+

Dave Greenberg · June 24, 2013, 09:59:23 am

Maybe we can do both - new permission for admin payment processor, and some encryptiong of the stored value with the site key (the IPN code would need to decrypt before sending to the processor of course).

?

xavier · June 24, 2013, 01:55:25 pm

As civi will need to decrypt it, I doubt the key used for the encryption is going to be much of a trouble to find for someone having access to the encrypted key.

Another place where it could as much/as little be useful is for the password of the mail accounts (for inbound or bounce)

CiviCRM Community Forums (archive)

News:

Author Topic: Passwords for payment processors not masked (Read 1862 times)

lentilsoup

Passwords for payment processors not masked

Dave Greenberg

Re: Passwords for payment processors not masked

rchapman

Re: Passwords for payment processors not masked

jamie

Re: Passwords for payment processors not masked

xavier

Re: Passwords for payment processors not masked

Dave Greenberg

Re: Passwords for payment processors not masked

xavier

Re: Passwords for payment processors not masked