PayPal pro password - visible

  • Posts: 185
  • Thank you received: 15
  • Hikashop Business
5 years 11 months ago #291355

Hi,
Is it possible for the password provided in the PayPal Pro plugin configuration to be hidden and not visible?

Please Log in or Create an account to join the conversation.

  • Posts: 4486
  • Thank you received: 609
  • MODERATOR
5 years 11 months ago #291361

Hello,

Do you mean in the backend Configuration ? In mean in HikaShop Main Configuration => System dropdown => Payment method, and in plugin settings edition ?
If yes, you can use ACL to restrict Payment method access per user group.

Or it's in another context ? And so can you precise your context ?
Awaiting news from you.

Regards

Last edit: 5 years 11 months ago by Philip.

Please Log in or Create an account to join the conversation.

  • Posts: 185
  • Thank you received: 15
  • Hikashop Business
5 years 11 months ago #291390

Hi Philip,
yes, it's about configuring the plugin. I can set the ACL, but it would not be easier to encrypt the password?

Please Log in or Create an account to join the conversation.

  • Posts: 81361
  • Thank you received: 13037
  • MODERATOR
5 years 11 months ago #291413

Hi,

The password there is not the same as the password which allows you to log on your PayPal account.
We don't hide it because even if someone reads it on your screen, he won't be able to do much with it.
Even with all the information there, the most he could do would be sending you some money.
Also, not hiding it allows you to easily check that you didn't make a mistake which, actually, happens quite often...

Also, note that encrypting the password, and making it not visible are two different things.
Hiding the password would mean that it would be replaced by the browser with dots. It would only prevent someone looking over your shoulder from peaking. But someone with access to the page would still be able to get your password by looking at the HTML of the page (it takes 2 seconds and it is really easy to do). So if you want to prevent someone else with access to the backend from seeing it, it's better to use ACLs.
Encrypting the password is normally done in the database so that if you get hacked, the attacker can't easily get your password. However, due to the way the communication works between HikaShop and payment gateways, the password has to be stored in clear in the database so that it can be used to authenticate your website to the payment gateway when it contacts it. And as I said earlier, even if an attacker would get your payment method information, it would only be able to transfer you some money.
No the biggest risk is that someone with access to your backend changes the information there for his own account so that the money goes to him instead of your account. And this can be prevented with ACLs.

Please Log in or Create an account to join the conversation.

  • Posts: 185
  • Thank you received: 15
  • Hikashop Business
5 years 11 months ago #291425

Hi Nicolas,
Thank you for your comprehensive answer :)

Please Log in or Create an account to join the conversation.

Time to create page: 0.059 seconds
Powered by Kunena Forum