Does Nuxeo Connect store the passwords of registered users in plaintext?
So I signed up to Nuxeo Connect today and after clicking the confirmation link in the registration email I was surprised to see my password appear in plain text on the confirmation webpage and in the registration email. Apart from the fact that my passowrd is now sitting in clear text on a mail server somewhere, does this mean that my password is stored in plaintext in the Nuxeo Connect database?
Ironically, when registering for Nuxeo Answers the registration email says: “Password: As IF we would send your password in cleartext!”
> Does connect store my password in clear text ?
The answer is no. Password is stored with a hash when the user is created. The user creation occurs after you use the link in the mail.
> About clear text password in the mail ?
Yes, we know this far from ideal.
However, please be aware that the earlier version was not sending the password in the mail and that we had a huge number of people that were not able to remember the password they entered in the registration form.
This was generating a lot of noise so we added the password in the mail.
However, we are working on improving that, by letting the user choose his password at first connection. Hopefully it will be available soon in a Connect upgrade.