Contrib.social

Access codes are stored as plain text

Open on Drupal.org →
Created on 2 April 2025, 26 days ago

Problem/Motivation

Access codes are basically passwords and it is a bad practice to store passwords as plain text.
If someone can somehow get a copy of the content of the access_code table, they gain access to every account in it.
A better practice would be to store a hash of the access code and compare this hash when the user is trying to login.

Steps to reproduce

Proposed resolution

The password service can be used to generate a hash:

\Drupal::service('password')->hash($accessCode);

But this would prevent some features like displaying the login link on the user form.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task
Status

Active

Version

2.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

  • Issue created by @prudloff
  • Comment 25 days ago
    🇫🇷France prudloff Lille
  • Comment 25 days ago
    glekli

    Thank you for reporting. Using an access code is inherently less secure than a username/password. It is a compromise in security in favor of convenience, and there is a warning about this on the module page.

    I certainly agree that storing passwords in plain text is inappropriate. However, access codes are typically 4-6 digits. If they were hashed, they could be cracked in under a second, given someone has access to the database. Therefore, in relation to this module, I don't perceive hashing as a major security enhancement.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024