cancel
Showing results for 
Search instead for 
Did you mean: 

Transactional emails: passwords exposed in plain text

Transactional emails: passwords exposed in plain text

I am using Magento 1.9.3.2

 

I created an account on my store with my actual email address. When I went to check my email, I discovered the welcome email contained the following message (note that the asterisks are there in this post for privacy):

 

Use the following values when prompted to log in:

E-mail : *********@gmail.com

Password : test123

 

To my astonishment and horror, Magento emailed me my email address and password IN PLAIN TEXT.

 

This is absolutely irresponsible security. I cannot envision a scenario where doing this would be even remotely acceptable.

 

I have since created a custom template for this transactional email to ameliorate this bizarre issue. I strongly advise that a patch be created to eradicate this, and any other areas of Magento which expose a customer's password in plain text. I suspect this may be the only instance like this, as passwords are encrypted immediately, but it is worth it to verify nonetheless.