• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

SMTP password shown as plain text (not encrypted).

maxdome

maxdome

Chevereto Member
Hi, Rodolfo

I just realized that SMTP password stored in database table settings is shown as plain text (not encrypted).
Is that the way its supposed to be? could this be a security issues? because the password is our company email password.

I know this SMTP password cannot be encrypted because its passed to the smpt as text, but you can use MD5 Encrypter and MD5 Decrypter.

Thank You.

Regards,
Maxdome
 
There is no sense in encrypt those passwords because the decryption will be on the same table/script since the password must be passed as-is to the SMTP server.
 
You can put it the code many different ways .

Using a encypted method with a salt would be even safer, but this would be a good next step past just using a MD5 hash.


PHP: 
$input = "MySMTPPassword";

$encrypted = encryptIt( $input );
$decrypted = decryptIt( $encrypted );

echo $encrypted . '<br />' . $decrypted;

function encryptIt( $q ) {
    $cryptKey  = 'qJB0rGtIn5UB1xG03efyCp';
    $qEncoded      = base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), $q, MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ) );
    return( $qEncoded );
}

function decryptIt( $q ) {
    $cryptKey  = 'qJB0rGtIn5UB1xG03efyCp';
    $qDecoded      = rtrim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), base64_decode( $q ), MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ), "\0");
    return( $qDecoded );
}

e.g: contact.php
PHP: 
$maildecrypt = CHV\getSettings()['email_smtp_server_password'];
$mail ->Password = decryptIt($maildecrypt);
 
Last edited:
There is no additional security in encrypting something that you locally know how to easily decrypt it.

No matter how many transformations you do the real thing is that you have "AAA" and save it as "ENCRYPTED" but you have the decrypt method right there. Is like to have a case with a very sophisticated key and you keep the key 20cms away from the case.

This is useless. Period.
 
Yes, I know and you have absolutely right.
But it is better encrypt the passwords in the database
because this protects us from SQL injection attack (password extraction).

Any way, thanks for your answer.

Best Regards:
Gio
 
maxdome said:
Yes, I know and you have absolutely right.
But it is better encrypt the passwords in the database
because this protects us from SQL injection attack (password extraction).

Any way, thanks for your answer.

Best Regards:
Gio
Click to expand...

I appreciate the interest but I don't share that interest for the proposed protection method.
 
You must log in or register to reply here.
Back
Top