Operators passwords are not encryped and saved in plain text. WHY?

[momuskk]

Operators passwords are saved in DB in plain text.
Also operator password is returned to edit form without any encryption.

In configuration I can enable only to change type of input from text to password, but with devtool anyone can change it, also other operator can switch configuration to disable password masking.

Please add bcrypt to operators passwords. PHP has simply and elegant functions to do this: https://www.php.net/manual/en/function.password-hash.php and https://www.php.net/manual/en/function.password-verify.php

Only 2 lines but it is much safer.

[filippolauria]

Dear @momuskk , you made a reasonable point here.

We are aware of this issue and we had already planned to introduce some kind of password hashing in the future.
There are other concerns, tough. In fact what you suggest does not involves just "2 lines":

• database field length should be updated
• operator login procedure should be revised
• operators add/edit should be revised
• ...

Furthermore, these changes will inevitably affect all running instances of daloRADIUS around the world, so their migration should be somehow managed, too.