Password

I've just noticed the "password" column in the membship table.
Is that really the user password? It's stored in plaintext, it seems.

If that is the case it is a really, Really, REALLY bad potential security risk.

Please tell me that you're going get rid of it.
It compromises the entire system, and as people often use the same password on many accounts, it's a very bad security risk for the whole net...

Hi Mark

It is not bad like that. Let me explain:

1. It is encrypted, not your raw password

2. It will only be used if you set "Only create user account when membership active/approved" config option to Yes

3. It will be erase as soon as the subscription record is active/approved. So in case someone uses Paypal, it will be erased right after he makes payment at Paypal (right after the system send usersname and password to him)

Regards,

Tuan

Ok. I'll calm down now

In the table I've got three users from several days ago where the passwords are still in the table.
I think they're accounts that I have manually set to "Active"...

I've now just reset those fields to NULL manually.

PS - I still think it's a really bad idea to send the password to the admin!

Will consider change it. Of course, admin doesn't need to know the password .

Tuan