Jump to content
Dirty Butter

ODD passwords in database

Recommended Posts

I've been taking a closer look at several database tables than I ever have because I'm working on the upgrade from 6.1.15 to 6.2.1+.

Out of about 4k registered customers I accidentally noticed that about 100 of them have MY admin password as THEIR databased password. Some have orders, others do not. They are not from a specific time period, but are interspersed through the data.

Any idea how this happened, so I can prevent it in the future? I do sometimes login as a customer for various purposes. Did I cause this by doing that?

Also, should I just wipe the password and leave it blank? We rarely get repeat customers because of what we sell, but if one of these customers were to try to login again they would have issues. Will the forgot password link allow for creating a new password, or balk at trying to retrieve a non-existent one?

 

Share this post


Link to post
Share on other sites

Are these customers that you created or have updated at any time ?  If you have saved passwords in your browser for you own login, then when editing other customers, your browser can pre-fill passwords in which you then accidentally save.  I have seen similar issues with SMTP email settings being over written by browser stored settings

Ian

Share this post


Link to post
Share on other sites
Posted (edited)

That's probably what has happened. I should be able to login as a customer and then log out of admin before I do whatever I was going to do on the storefront. That's no biggie, as I have to log back into admin after I logout as a customer anyway. That will keep it from happening in the future. No, my browser still puts my login info in the blanks. There needs to be some way to REALLY wipe the admin login details on logout, but save them for login. Does such a system even exist?

 

Edited by Dirty Butter

Share this post


Link to post
Share on other sites

The true password is salted and scrambled, then databased. That said, if the 128 character hash is identical, then it strongly suggests there is some malfunction happening. Meaning, the true but wrong password got POSTed by the browser, and the salting was the same. Or a database query was read out of cache and used to pre-populate a $data array for INSERTion.

Also, unless your browser is really stupid and/or old, text entry input fields of type "password" are never pre-populated with old or 'remembered' past entries.

Share this post


Link to post
Share on other sites

Each of the 100 or so had my password very obviously readable, or I would not have even noticed it. Each also had a salt - not the same one so I would guess these were created when the original password was created.

I have always used up-to-date FireFox. I DO see my CC admin name showing up in blank fields when I login as a customer. It just never occurred to me that some of them were being saved. I do NOT have any kind of saving fields FF plugin, etc., in use. Just the stock saving passwords.

I did delete my password from the customer database records. I was able to use the CC Remember Password system to populate my test account with another password easily. So these past customers will be able to access their accounts by creating a new password.

I just don't want this happening again, if possible. Our customers are sometimes not used to buying online from anywhere other than maybe Amazon or eBay. We end up creating orders for them once they have created an account. (That's been easier to do via login as the customer than trying to create an order from within Admin because shipping is not created from within Admin.) We then invoice them via PayPal.

Share this post


Link to post
Share on other sites

"my password very obviously readable"

There is something incredibly wrong. These records were created at some time in the past (that is, having used a much earlier version of CubeCart), or if recently then maybe some sort of plugin? What values are in the 'registered' column? (There may not be values in the 'ip_address' column.)

The 'remembered' entries for a similarly named text entry input field is understandable. It shows as a drop-down. Unless the HTML is as follows:

From Foundation as shipped with CC620, in content.login.php:
<input autocomplete="off" name="username" id="login-username" placeholder="Email Address (Required)" value="" required="" type="text">

Autocomplete allows the browser to predict the value. When a user starts to type in a field, the browser should display options to fill in the field, based on earlier typed values.

Share this post


Link to post
Share on other sites

The registered column has different 10 digit numbers. I also see those same records that had (I've erased the entry) my password in them also have my login name in the unused mobile column (I don't require both phone numbers).

My content.login.php has been stock at least as far back as the last crazy password record.

<input type="text" autocomplete="off" name="username" id="login-username" placeholder="{$LANG.user.email_address} {$LANG.form.required}" value="{$USERNAME}" required>

 

So is FF not respecting the autocomplete="off" ??? I double checked - I do not have FF set to Autofill addresses - never have as far as I know.

As for plugins - dirtybutter.com is a Wordpress site with the same admin name and password. Could that be causing it? That would be easily fixed.

Share this post


Link to post
Share on other sites
5 minutes ago, Dirty Butter said:

 

dirtybutter.com is a Wordpress site with the same admin name and password. Could that be causing it? That would be easily fixed.

Browsers can mistakenly pre-fill passwords that are saved from different areas on the same domain but the fact you have the same username and password is bad from a Security point of view but not the cause.  Download and use LastPass which is a free password manager (mobile version has a small fee) and that way you can have very complex (20 plus random characters) and unique passwords for every single site.  It will help you identify all sites where you have the same passwords and also delete browser / locally based passwords as well

Ian

Share this post


Link to post
Share on other sites

I do use complex passwords, but just was lazy with the dirtybutter domain logins. I'll remedy that. Thanks Ian.

Share this post


Link to post
Share on other sites

I changed the login details for all my sites on the dirtybutter domain. I was being lazy. Now I have a drop down list on each login screen, so I have to take the time to choose the correct login name for each site. That's an insignificant inconvenience compared to having blank fields accidentally being saved in CC customer records with my information.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×