Thread

The way our member site is set up, it is important that we have access to the passwords for our clients because we need to export their entries each month via the plug-in CSVEE. All of our current members were imported, so we have all of those passwords. However, as new members order from us and then go to register on the site, we aren’t going to have access to those passwords. I’ve come to the conclusion that its virtually impossible to get the password once the client signs up.

We could manually register every new client, but if we start getting a lot of new members that is going to be a lot of work for us to keep up with, and our members to have to wait until we get the account set up.

I had an idea about having a hidden custom member field on the registration page that would capture the password a client types into the password field. What security implications could this cause? Also, its worth pointing out that I’m using the User Module to register members.

I do want to say that EE is just awesome and I love using it for our member site. I’m able to do things that were not possible in our previous member site. So thank you for being so awesome!

Thank you,

Chad Boswell

Hi, Chad - the passwords are SHA1 encrypted (unless you changed them to MD5) - there is no way to get those passwords, short of breaking the SHA1 encryption.

Why do you need to access your clients accounts to export their entries?  That shouldn’t be necessary at all, and seems fairly onerous.

Lisa,

I probably should have given more details on how we are using the member’s site.

I’ve set it up so that our members can manage a mailing list of clients for postcards that we send out for them each month. Each client is an entry in the system.

So they go in each month and add and delete these clients and then we go in at the end of the month and export all of their entries into a .CSV file and send that to our fulfillment house. Some clients also pay us to manage their list for them.

I know we have the ability to log in as that member through the CP if we don’t have their password, but the admin who manages all of these mailing lists can’t keep logging in to the CP to go into each account. She usually exports 40 - 50 lists in a day and it’s easier if she has the password.

Right now, its not a big deal, but because we have so much more control over how our member site works in EE, we are really pushing to bring in a lot of new members because we are finally able to offer better content. So in 3 - 6 months, we could really double or triple our membership and we don’t want to have to ask each customer to give us their password or if they call in asking for it, we don’t want to tell them we don’t know what it is and the only solution is to reset it.

Going back to my original question, if I set something up that copies the password they create into a hidden field that submits to a custom member field, what security implications could this have? Our clients don’t have access to the CP and they do all of their list management through the front end so I can control what custom member fields get displayed to them.

Thanks for any help you can provide on this.

Chad Boswell

Hi, Chad -

That information is in the database, you can certainly build a template to pull out what you need without having your member’s details.  How are the emails stored? An email per entry, with the client as the author?

I really don’t think that lowering your security to the point of having plain text passwords (exactly what you’re trying to do) is a good option.  Why don’t we explore a better way to get that data?  You might find that you can ease the workflow as well?

Thanks for the response Lisa. To clarify for you, these entries are for postcard mailings, not emails. The exported data includes the client’s first name, last name, address, city, state, zip, and country. There is an advanced details section where members can add an email address for that client if they want but the primary purpose of the list is for postcard mailings.

I’ve created some training videos for our clients that you can review to find out how I set this up and what the client sees:

http://www.youtube.com/view_play_list?p=BEB1CE8F2A03B9F3

Regarding plain text passwords, we use a Customer Relationship Management system called Infusionsoft that we keep each member’s username and password in. The idea is that whenever a new registration comes in, I would go into that new account and grab the password from that custom field, put it into Infusionsoft and then delete it out of the member’s area.

We also have a spreadsheet we keep all passwords in.

I do agree that there has got to be a better way to get the data for exporting and I’ve got an idea that I’m going to develop. I had started a front end admin area but due to time constraints I couldn’t get it finished up. I believe I can set up a way for our Superadmin to go in and manage the clients exports in one location instead of having to log in as each person. I created a thread a few months ago about this admin area because I was stuck:

http://ellislab.com/forums/viewthread/171632/

Perhaps you can review that thread and offer suggestions on how I could accomplish this?

Thanks again for your time.

Chad Boswell

Hi Chad,

Have you considered writing an extension that interacts with the Infusionsoft API? That would negate the need to have an admin copy and paste data between the two systems. In the default EE installation the member_member_register_start hook would give you direct access to the member details right before any validation and if you are using Solspace’s User then I believe that the user_register_start hook in that module would be an equivalent.

Cheers

Greg

Greg,

This is why you guys are so awesome. I’m not sure how I’d pull this off exactly but its a very feasible idea that I wouldn’t have thought of. Since you’ve provided me the hooks I would need, I at least know where to start and hopefully I can come up with a solution.

Of course if you have experience with the Infusionsoft API, could we discuss what you might charge to build an extension like you suggested?

Thanks,

Chad Boswell

Chad,

I’m going to close this one out. If you wish to contact Greg directly use him PM or through his own site here. Feel free to start a new thread if you have any more questions.