Showing results for 
Search instead for 
Did you mean: 

Transactional emails: passwords exposed in plain text

Transactional emails: passwords exposed in plain text

I am using Magento


I created an account on my store with my actual email address. When I went to check my email, I discovered the welcome email contained the following message (note that the asterisks are there in this post for privacy):


Use the following values when prompted to log in:

E-mail : *********

Password : test123


To my astonishment and horror, Magento emailed me my email address and password IN PLAIN TEXT.


This is absolutely irresponsible security. I cannot envision a scenario where doing this would be even remotely acceptable.


I have since created a custom template for this transactional email to ameliorate this bizarre issue. I strongly advise that a patch be created to eradicate this, and any other areas of Magento which expose a customer's password in plain text. I suspect this may be the only instance like this, as passwords are encrypted immediately, but it is worth it to verify nonetheless.