security: suggest installing ep_hash_auth to get rid of plain text passwords

In its current form, Etherpad stores passwords for users in plain text in settings.json. We should at least mention the opportunity of installing ep_hash_auth to start tackling this problem. The advice was added in README.md and in settings.json.template Fixes #3444
2018-08-09 00:17:15 +02:00 · 2018-08-09 00:17:15 +02:00 · 10f0cb3253
parent 044f761b99
commit 10f0cb3253
2 changed files with 12 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -73,6 +73,12 @@ You can initially modify the settings in `settings.json`. (If you need to handle

 You should use a dedicated database such as "mysql", if you are planning on using etherpad-in a production environment, since the "dirtyDB" database driver is only for testing and/or development purposes.

+## Secure your installation
+If you have enabled authentication in `users` section in `settings.json`, it is a good security practice to **store hashes instead of plain text passwords** in that file. This is _especially_ advised if you are running a production installation.
+
+Please install [ep_hash_auth plugin](https://www.npmjs.com/package/ep_hash_auth) and configure it.
+If you prefer, `ep_hash_auth` also gives you the option of storing the users in a custom directory in the file system, without having to edit `settings.json` and restart Etherpad each time.
+
 ## Plugins and themes

 Etherpad is very customizable through plugins. Instructions for installing themes and plugins can be found in [the plugin wiki article](https://github.com/ether/etherpad-lite/wiki/Available-Plugins).
--- a/settings.json.template
+++ b/settings.json.template
@ -289,15 +289,21 @@
   *
   * is_admin = true gives access to /admin.
   * If you do not uncomment this, /admin will not be available!
+   *
+   * WARNING: passwords should not be stored in plaintext in this file.
+   *          If you want to mitigate this, please install ep_hash_auth and
+   *          follow the section "secure your installation" in README.md
   */

  /*
  "users": {
    "admin": {
+      // "password" can be replaced with "hash" if you install ep_hash_auth
      "password": "changeme1",
      "is_admin": true
    },
    "user": {
+      // "password" can be replaced with "hash" if you install ep_hash_auth
      "password": "changeme1",
      "is_admin": false
    }