- This topic has 9 replies, 2 voices, and was last updated 8 years, 9 months ago by
.
-
Posts
-
We have a member that was appalled to see his password in clear text in an email and left our membership site because of it. I have altered that email AND the ‘change password’ email to remove the password but I’d like to be able to explain to him how it all works behind the scenes. Can you help?
The passwords are kept using a ONE WAY hash. So you can’t look at the database and get passwords (this is the best security practice for storing passwords).
The following documentation of WordPress has explanation on how passwords are hashed in teh WP system. We use that same functionality in our WP eMember plugin also:
https://codex.wordpress.org/Function_Reference/wp_hash_password
What evidence do you have, that this event happened? At no time does eMember ever display or send passwords in clear text. Passwords are stored in the database, as a one way hash. Or perhaps this user did “soething stupid,” like using his email address as his “secret password,” and is upset that “his password” was sent to him in an email, LOL?
I only mention that scenario, because in the last few weeks; we’ve had people asking about setting up eMember systems without passwords, and wanting to use email addresses as both the user name AND password.
The default email in eMember sent the member confirmation and password to the person. Here is one it sent to me which did the same thing: (I blanked out my user name and password in the example below.)
Dear Kirk Foster
Your registration is now complete!
Registration details:
Username: ************
Password: *************
Please login to the member area.
Thank You
That looks like the default email for the WordPress user registration side of your site.
Are you only registering eMember users, or are you also registering WordPress users?
Here is the default email setting for registration complete in eMember:
Dear {first_name} {last_name}
Your registration is now complete!
Registration details:
Username: {user_name}
Password: {password}
Please login to the member area at the following URL:
{login_link}
Thank You
Here is the complete list of email tags:
https://support.tipsandtricks-hq.com/forums/topic/wp-emember-email-tags-reference-list-of-email-tags
Yes, we did that. Can you just explain the encryption in the database so I can reassure the member that his information is secure?
The password is a one way hash; identical to the one used by WordPress. Once the password is encrypted and stored in the eMember database; it cannot be decrypted.
The only reason the password is available as an email tag is because; the email is generated at the time the user picks their password. Once the registration process completes, there is no way to recover the unhashed password. The availability of the password as an email tag, is strictly as a courtesy “convenience” to the user, so that they can keep a copy in a “safe place.”
- You must be logged in to reply to this topic.