Remove the password option in patron attributes
Hello everybody, I'd like to get opinion on the password option available in patron attributes. Initially this field was created to allow patrons to use an alternate password to login, but it has never been implemented. I have suggested to remove it on bug 12267 as we don't use it internally and as it's a bad idea to use a password stored in clear text. If you are using this option, please tell us know to discuss the matter. Regards, Jonathan https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12267
Hi Jonathan, I think you have a good point about it being a bad idea to store passwords as plain text. So far it seems unused too - removing it would be ok for me. Katrin Am 19.04.2016 um 09:22 schrieb Jonathan Druart:
Hello everybody,
I'd like to get opinion on the password option available in patron attributes. Initially this field was created to allow patrons to use an alternate password to login, but it has never been implemented. I have suggested to remove it on bug 12267 as we don't use it internally and as it's a bad idea to use a password stored in clear text. If you are using this option, please tell us know to discuss the matter.
Regards, Jonathan
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12267 _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
The PIN is used at our library as a way for patrons to log in to their account online and to use our virtual services. In the patron registration field once the pin is put in the staff can not see what it was. So it is not clear for anyone else to see. On Tue, Apr 19, 2016 at 3:07 PM, Katrin Fischer <Katrin.Fischer.83@web.de> wrote:
Hi Jonathan,
I think you have a good point about it being a bad idea to store passwords as plain text. So far it seems unused too - removing it would be ok for me.
Katrin
Am 19.04.2016 um 09:22 schrieb Jonathan Druart:
Hello everybody,
I'd like to get opinion on the password option available in patron attributes. Initially this field was created to allow patrons to use an alternate password to login, but it has never been implemented. I have suggested to remove it on bug 12267 as we don't use it internally and as it's a bad idea to use a password stored in clear text. If you are using this option, please tell us know to discuss the matter.
Regards, Jonathan
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12267 _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Dianna Waite Head of Circulation Email: diawaite@salpublib.org-Phone: 785 825 4624 x 221 Website <http://www.salinapubliclibrary.org/> - Library Events <http://salina.evanced.info/signup/EventCalendar.aspx> - Search the Library Catalog <http://salpublib.kohalibrary.com/cgi-bin/koha/opac-main.pl> - Reserve a Room @ the Library <http://www.salinapubliclibrary.org/programsservices/join/rooms>
Hi Dianna, The PIN/Password we are talking about here is separate from the normal user id and password that you put in when you are registering a borrower. That user id and password are what allow logins to the public side of Koha, these extended attribute passwords are different to those, they are stored in plain text (very bad), and don't have any code behind them to even be used. You can confirm whether or not you are trying to use this feature by going to Administration -> Patron attribute types, and clicking through each one, verifying that the "Password" box is not checked on any of the attributes. If you have no attributes listed here, you are not using this and it would be safe for us to remove it. :) I hope this helps, please let us know what you find. Cheers, Liz On 20/04/16 08:29, Dianna Waite wrote:
The PIN is used at our library as a way for patrons to log in to their account online and to use our virtual services. In the patron registration field once the pin is put in the staff can not see what it was. So it is not clear for anyone else to see.
On Tue, Apr 19, 2016 at 3:07 PM, Katrin Fischer <Katrin.Fischer.83@web.de> wrote:
Hi Jonathan,
I think you have a good point about it being a bad idea to store passwords as plain text. So far it seems unused too - removing it would be ok for me.
Katrin
Am 19.04.2016 um 09:22 schrieb Jonathan Druart:
Hello everybody,
I'd like to get opinion on the password option available in patron attributes. Initially this field was created to allow patrons to use an alternate password to login, but it has never been implemented. I have suggested to remove it on bug 12267 as we don't use it internally and as it's a bad idea to use a password stored in clear text. If you are using this option, please tell us know to discuss the matter.
Regards, Jonathan
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12267 _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- -- Liz Rea Catalyst.Net Limited Level 6, Catalyst House, 150 Willis Street, Wellington. P.O Box 11053, Manners Street, Wellington 6142 GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7
Hi, On Tue, Apr 19, 2016 at 3:22 AM, Jonathan Druart <jonathan.druart@bugs.koha-community.org> wrote:
I'd like to get opinion on the password option available in patron attributes. Initially this field was created to allow patrons to use an alternate password to login, but it has never been implemented. I have suggested to remove it on bug 12267 as we don't use it internally and as it's a bad idea to use a password stored in clear text.
+1 to removing it. As you say, full functionality was never implemented for that feature (although had it been, hashing would almost certainly have been used, but that's really besides the point). Regards, Galen -- Galen Charlton Infrastructure and Added Services Manager Equinox Software, Inc. / Open Your Library email: gmc@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
participants (5)
-
Dianna Waite -
Galen Charlton -
Jonathan Druart -
Katrin Fischer -
Liz Rea