Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase team security #9467

Closed
Namelecc opened this issue Jul 26, 2021 · 5 comments
Closed

Increase team security #9467

Namelecc opened this issue Jul 26, 2021 · 5 comments

Comments

@Namelecc
Copy link

Groups that are private with passwords are not protected, as the password is not concealed via hashing... it's just there in plain text. Hashing should be done to conceal the password, just as it is done for account passwords.
@ijhchess
Copy link
Contributor

Can't storing passwords in plain text result in GDPR issues?

@lakinwecker
Copy link
Collaborator

lakinwecker commented Jul 26, 2021
edited

Can't storing passwords in plain text result in GDPR issues?

I doubt it. In this case, it's private to the public, but shared with the rest of the team members. So it's probably treated more like the content that's also stored in plain text and shown to team members, like chat and forum posts in the team etc. So it can be treated the same as that.

@lakinwecker
Copy link
Collaborator

I'm 99% sure we do it this way because we want to show the team leaders the password so that they can look it up when they want to share it with members that they want to join the team. The password is meant to be shared. As a result, it's likely shared, stored and transmitted in plain text in a number of other contexts, and us hashing it probably doesn't increase security much, IMO.

@ijhchess
Copy link
Contributor

Good to know there shouldn't be GDPR issues with this!

I'm 99% sure we do it this way because we want to show the team leaders the password so that they can look it up when they want to share it with members that they want to join the team.

This makes sense as to why it's stored in plain text; however, isn't there a potential security issue if someone got unauthorized access to a team leader's account and obtained the password? You are right that team passwords are shared, but it seems like the current system has a higher likelihood of a security breach. Also, team leaders having to look up the password shouldn't be too much of an issue as they will need the password to join the team in the first place, and they could always store the password locally on their computer if they really were worried about forgetting it.

@lakinwecker
Copy link
Collaborator

If we hash it, we have to provide a way for a team leader to change it. So if someone gains access to your account, they can then immediately change the group password to something they know and do whatever it was they would have done if they just saw it to begin with. Can you provide specifically a use case where security would be improved by hashing this? As of right now, I don't see one.

And the idea of using another sensitive password as your team password is also a moot example. If you plan to use, for examples sake, your bank password to protect your team, and then you plan to then send that password to all of your friends to get them to join it, then I'm not sure hashing it will help you.

@benediktwerner benediktwerner changed the title Increase Group Security Increase team security Aug 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lakinwecker @Namelecc @ijhchess