On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:

From: "Ashish Vijaywargiya" <ashish.vijaywarg...@hotwaxmedia.com>
Hello Marco,

Thanks for your wonderful work in this area.
I truly appreciate your efforts.

Here are few thoughts / comments :

1) We are saving password as it is.
https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
I think we should encrypt the password before saving it to database and
will not show the password as it is while fetching it from database.
Thoughts ?

+1, using what we already use (also SHA that should be salted at some point in the future)

These are all good changes, so thanks to Jacques and especially Ashish for the comments.

For the gateway password encryption we'll want to use the Entity Engine's built-in two-way encryption. We can't use SHA/hash encryption because we have to be able to decrypt these passwords to send them to the payment gateway (ie they would never accept a hashed form of the password, that is a big security hole and basically nullifies most of the benefit of the hash, which is why by default we don't allow that in OFBiz either).

-David

Reply via email to