Hi, > > I agree the current behavior is sub-optimal. DL should either: > > > > 1# Never send clear-text passwords, or > > 2# Send it all the time (storing it in clear-text on the server). > > > > I personally think that #1 makes more sense (gives the password > > some more meaning), but I don't have a strong opinion.
What's the problem with storing the download password in clear text? I can't see any security reason for this. This is just the download and every admin should be able to re-read the password.
Also now there's a problem, if you create a grant and set the password. The password won't be sent to your email (notification email) and if you'll download it a few days later, you have to guess about the password, which you had set.
So saving the password as clear text and make it visible to the creator over the WebGUI would make sense.
Greets, ssc
