• Welcome to the Chevereto User Community!

    Here, users from all over the world come together to learn, share, and collaborate on everything related to Chevereto. It's a place to exchange ideas, ask questions, and help improve the software.

    Please keep in mind:

    • This community is user-driven. Always be polite and respectful to others.
    • Support development by purchasing a Chevereto license, which also gives you priority support.
    • Go further by joining the Community Subscription for even faster response times and to help sustain this space

SMTP password shown as plain text (not encrypted).

maxdome

maxdome

Chevereto Member
Hi, Rodolfo

I just realized that SMTP password stored in database table settings is shown as plain text (not encrypted).
Is that the way its supposed to be? could this be a security issues? because the password is our company email password.

I know this SMTP password cannot be encrypted because its passed to the smpt as text, but you can use MD5 Encrypter and MD5 Decrypter.

Thank You.

Regards,
Maxdome
 
There is no sense in encrypt those passwords because the decryption will be on the same table/script since the password must be passed as-is to the SMTP server.
 
You can put it the code many different ways .

Using a encypted method with a salt would be even safer, but this would be a good next step past just using a MD5 hash.


PHP: 
$input = "MySMTPPassword";

$encrypted = encryptIt( $input );
$decrypted = decryptIt( $encrypted );

echo $encrypted . '<br />' . $decrypted;

function encryptIt( $q ) {
    $cryptKey  = 'qJB0rGtIn5UB1xG03efyCp';
    $qEncoded      = base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), $q, MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ) );
    return( $qEncoded );
}

function decryptIt( $q ) {
    $cryptKey  = 'qJB0rGtIn5UB1xG03efyCp';
    $qDecoded      = rtrim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), base64_decode( $q ), MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ), "\0");
    return( $qDecoded );
}

e.g: contact.php
PHP: 
$maildecrypt = CHV\getSettings()['email_smtp_server_password'];
$mail ->Password = decryptIt($maildecrypt);
 
Last edited:
There is no additional security in encrypting something that you locally know how to easily decrypt it.

No matter how many transformations you do the real thing is that you have "AAA" and save it as "ENCRYPTED" but you have the decrypt method right there. Is like to have a case with a very sophisticated key and you keep the key 20cms away from the case.

This is useless. Period.
 
Yes, I know and you have absolutely right.
But it is better encrypt the passwords in the database
because this protects us from SQL injection attack (password extraction).

Any way, thanks for your answer.

Best Regards:
Gio
 
maxdome said:
Yes, I know and you have absolutely right.
But it is better encrypt the passwords in the database
because this protects us from SQL injection attack (password extraction).

Any way, thanks for your answer.

Best Regards:
Gio
Click to expand...

I appreciate the interest but I don't share that interest for the proposed protection method.
 
You must log in or register to reply here.
Back
Top