You are right.
wtremmel wrote:What was not so great, is that I found my panel password and all user passwords as clear text in files.
Encrypted passwords has already been scheduled, and I will be adding it to next X3 release!
I would like to make it 100% clear however, that your config.user.json file (where password is stored) is by no means accessible or readable to the outside world. For example from our demo:
Also, if you use the X3 panel database-version, logins are stored and encrypted in a database instead.
wtremmel wrote:Anything that can be cracked will be - its just a matter of time.
Especially in a hosted environment where you do not have full control over the server.
No CMS can truly protect you from users that have access to your server. They would already have access to your files and folders, and even Joomla and Wordpress need to store database login credentials in a file, which would make it easy to hi-jack the database (inject or modify users). Furthermore, it would not be complicated to edit some PHP to bypass the login mechanism. Even if logins are encrypted, anyone with access to where the the login is stored (database or file), can easily reset or modify the password with their own (encrypted or not).
Just to re-emphasize, i DO AGREE that encrypted passwords would be beneficial. Logically, there is no real reason you will gain much security from passwords being stored encrypted. Of course, passwords should never really be readable in the first place!
wtremmel wrote:Are there any plans for encrypted storage of passwords in X3?
Next release. Thanks again!