5

When a customer signs up on my site, it receives a confirmation of registration which it is written the username and password. Is it regular to have the password in plain text in email?

strauss
  • 461
  • 2
  • 7
  • 19

1 Answers1

12

UPDATE: I just noticed that as of Magento CE 1.9.1.0 the password is no longer included in the Welcome Email. The default email template still contains <strong>Password</strong>: {{htmlescape var=$customer.password}}, but as part of several security enhancements customer passwords are no longer stored in plain text in the database. Therefore the email will display a blank space where the password used to be. So my answer below is only applicable to Magento CE 1.9.0.1 and older.

Yes, this is was standard procedure. In app/locale/YOURLANGUAGE/template/email/account_new.htmlaround line 25 you will find:

<strong>Password</strong>: {{htmlescape var=$customer.password}}

Option 1: You can change this by changing this email template and either remove this line or replace it with something like:

The password you have chosen when creating this account.

Option 2: You could also create a new email template in the Admin Panel via System > Email Templates and then set this new template in System > Configuration > Customers > Customer Configuration > Create New Account Options > Welcome Email

MatthijsIJ
  • 3,622
  • 3
  • 24
  • 39
  • thank you.i have choosen the option2.but why Magento does not change the standard procedure. For security, this practice is very dangerous!! – strauss Dec 09 '14 at 10:40
  • I totally agree with you and think Magento should change this! – MatthijsIJ Dec 09 '14 at 10:43
  • It seems fix to 1.9.3.0, no ? http://magento.stackexchange.com/a/145996/24845 – Nolwennig Nov 16 '16 at 08:59
  • It seems to have returned in the latest security update.. my customer wants it removed. Thanks for posting the solution more than 2 years ago – Irfan Khan Feb 21 '17 at 06:42