Jump to content

User password served in clear way

DMP Lacidem

Recommended Posts

Hi there :)

I'm reaching all of you cause I have a question. That's a good start isn't it 😅

  • I'm not a PS developer,
  • Used to CMS, but not PS yet,
  • An agency done the works.

Today, by taking a look on our new "prestashop website", I went to the customer profil and discover that I can have in a clear way the password on the user in the system. Well, an user, in his area, can see his password.


(yes, password is the password, was for testing purpose).

When I see that, I was thinking the password wasn't hash and salt. But seems PS used to MD5 and salt key in the variable cookie_key.

Ok... So... How it's possible to be able to see the password in a clear way in the Front Office of the user profil ? If I well understand MD5 : it's even not an encrypt this, it's "just" the footprint. So... How it's possible to read password in clear way? Their is a way to by pass md5 ? I undestand nothing ? 🤣🤣

Sounds to me impossible... but I'm able to do it!


As I'm very curious, I ask to understand :)


Thanks 💋



Share this post

Link to post
Share on other sites

10 hours ago, rrataj said:

I bet this password is just remembered and prefilled by browser. This has nothing to do with prestashop password management. Please try different browser to confirm.

Hi Rrataj,

thanks for the reply.

Regarding your respond, it's normaly impossible to have such function (display in clear way user password that is hashed by MD5) without having is written in clear in the DB ?

And is their a way to "force" PrestaShop to write them in clear" ? Or maybe it's just impossible to have no encpryt password with PS ?

To respond to your remarks, I have test it with other browers with the same result.

It's why I'm so... confused 😅

How is this possible ? 😅😲🙃

Share this post

Link to post
Share on other sites

From my knowledge it's not possible. Presta uses bcrypt to store passwords, and it's not being displayed on the frontend in any way.

The only thing what this button does ("show password") is to show you actual password/characters you are typing in as an input instead of stars, so you can check if you typed what you wanted. That's why I suggested that your browser/password manager fills this data for you and that's why you can see them. 

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More