mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-05-02 13:19:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

security: suggest installing ep_hash_auth to get rid of plain text passwords

Browse source 
In its current form, Etherpad stores passwords for users in plain text in
settings.json. We should at least mention the opportunity of installing
ep_hash_auth to start tackling this problem.

The advice was added in README.md and in settings.json.template

Fixes #3444
This commit is contained in:
muxator 2018-08-09 00:17:15 +02:00
parent 044f761b99
commit 10f0cb3253
2 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
settings.json.template
View file

@ -289,15 +289,21 @@
*
* is_admin = true gives access to /admin.
* If you do not uncomment this, /admin will not be available!
*
* WARNING: passwords should not be stored in plaintext in this file.
* If you want to mitigate this, please install ep_hash_auth and
* follow the section "secure your installation" in README.md
*/
/*
"users": {
"admin": {
// "password" can be replaced with "hash" if you install ep_hash_auth
"password": "changeme1",
"is_admin": true
},
"user": {
// "password" can be replaced with "hash" if you install ep_hash_auth
"password": "changeme1",
"is_admin": false
}