BUG: Dataiku login sending password without hash

skandagn
Level 2
BUG: Dataiku login sending password without hash

Dataiku enterprise login portal is set to send login username and password without salt hash and as a plain text. This is a serious security issue that has to be addressed. Anyone in the network can get the password thats sent unencrypted and unhashed. 

Dataiku team must seriously take this issue and fix it in upcoming versions. 

 

Thanks


Operating system used: Windows

0 Kudos
1 Reply
AdrienL
Dataiker

Hi skandagn,

I see 2 aspects to consider in your question:

  1. Salting and hashing local user account passwords: DSS does that (for DSS-managed accounts, i.e. when you don't use LDAP/SSO since in that case DSS does not even have your password), on the backend side. It would be useless on the frontend (in the browser), as the hash of your password would effectively become your new password. For more info, see the documentation on Password Security.
  2. SSL/HTTPS, providing in-transit encryption between the user's browser and the DSS server : DSS can (and indeed should) be configured to do that, but it needs to be setup by your DSS administrator, as it depends on how the administrator wants to set this up (self-signed certificate, company certificate, which hostname, etc.). See Configuring HTTPS for instances using the Custom installation setup (installed via the command line). When using the Cloud Stacks installation setup, this is automatically done by default.