Magento – Why the Magento 1.9.3.4 welcome email still send customer password in text plain

magento-1.9password

Why Magento 1.9.3.4 welcome email still send customer password in plain text ?

I think this is not safe at all. I know that I can replace the line <strong>Password</strong>: {{htmlescape var=$customer.password}} to not show the passwords

I thought, after 1.9, it won't show passwords any more, but accidentally I found the welcome email include the password in plain text .

I wonder whether my magento codes have Security problem, because I think the password should not been seen and shown in any methods.

Best Answer

Yes, it is true that the Welcome mail contains the password in plain text, but there are some who say that it is a bad practice and other not ! I let you read this answer with the advantages and disadvantages and the Magento Security Enhancements

In any case you can change it by making one of these two choices:

In app/locale/YOURLANGUAGE/template/email/account_new.html you find:

<strong>Password</strong>: {{htmlescape var=$customer.password}}

Choice 1: You can change this by changing this email template and either remove this line or replace it with something like:

The password you have chosen when creating this account.

Choice 2: You could also create a new email template in the Admin Panel via System > Email Templates and then set this new template in System > Configuration > Customers > Customer Configuration > Create New Account Options > Welcome Email

Related Solutions

Magento – How to send set password email

Take a look at Magento Migrate customers with no password.

$customer = Mage::getModel('customer/customer');

$password = '123456';
$email = 'testuser@test.com';

$customer->setWebsiteId(Mage::app()->getWebsite()->getId());
$customer->loadByEmail($email);

if($customer->getId()) { // if customer does not already exists, by email

    $newPassword = $customer->generatePassword(); // generate a new password
    $customer->changePassword($newPassword); // set it
    $customer->save();    
}

Assuming that you want to use the default magento password template then take a look at app/code/core/Mage/Adminhtml/controllers/CustomerController.php

// Send welcome email
if ($customer->getWebsiteId() && (isset($data['account']['sendemail']) || $sendPassToEmail)) {
    $storeId = $customer->getSendemailStoreId();
    if ($isNewCustomer) {
        $customer->sendNewAccountEmail('registered', '', $storeId);
    } elseif ((!$customer->getConfirmation())) {
    // Confirm not confirmed customer
            $customer->sendNewAccountEmail('confirmed', '', $storeId);
    }
}

Password – Export Customers and Passwords from Magento CE 1.9.0.1 to Another Platform

It's been decided that we'll stick with Magento for now due to what it offers us and what we will lose if we try to find another solution. It'll be hassle too.

Thanks!

Best Answer

Related Solutions

Magento – How to send set password email

Password – Export Customers and Passwords from Magento CE 1.9.0.1 to Another Platform

Related Topic