Transactional emails: passwords exposed in plain text
I am using Magento 18.104.22.168
I created an account on my store with my actual email address. When I went to check my email, I discovered the welcome email contained the following message (note that the asterisks are there in this post for privacy):
Use the following values when prompted to log in:
E-mail : *********@gmail.com
Password : test123
To my astonishment and horror, Magento emailed me my email address and password IN PLAIN TEXT.
This is absolutely irresponsible security. I cannot envision a scenario where doing this would be even remotely acceptable.
I have since created a custom template for this transactional email to ameliorate this bizarre issue. I strongly advise that a patch be created to eradicate this, and any other areas of Magento which expose a customer's password in plain text. I suspect this may be the only instance like this, as passwords are encrypted immediately, but it is worth it to verify nonetheless.