From 10f0cb325304c15808015dba97dbf35a790898a8 Mon Sep 17 00:00:00 2001
From: muxator <a.mux@inwind.it>
Date: Thu, 9 Aug 2018 00:17:15 +0200
Subject: [PATCH] security: suggest installing ep_hash_auth to get rid of plain
 text passwords

In its current form, Etherpad stores passwords for users in plain text in
settings.json. We should at least mention the opportunity of installing
ep_hash_auth to start tackling this problem.

The advice was added in README.md and in settings.json.template

Fixes #3444
---
 README.md              | 6 ++++++
 settings.json.template | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 5052d916b..53702bc4b 100644
--- a/README.md
+++ b/README.md
@@ -73,6 +73,12 @@ You can initially modify the settings in `settings.json`. (If you need to handle
 
 You should use a dedicated database such as "mysql", if you are planning on using etherpad-in a production environment, since the "dirtyDB" database driver is only for testing and/or development purposes.
 
+## Secure your installation
+If you have enabled authentication in `users` section in `settings.json`, it is a good security practice to **store hashes instead of plain text passwords** in that file. This is _especially_ advised if you are running a production installation.
+
+Please install [ep_hash_auth plugin](https://www.npmjs.com/package/ep_hash_auth) and configure it.
+If you prefer, `ep_hash_auth` also gives you the option of storing the users in a custom directory in the file system, without having to edit `settings.json` and restart Etherpad each time.
+
 ## Plugins and themes
 
 Etherpad is very customizable through plugins. Instructions for installing themes and plugins can be found in [the plugin wiki article](https://github.com/ether/etherpad-lite/wiki/Available-Plugins).
diff --git a/settings.json.template b/settings.json.template
index 800a1f341..9314ebf97 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -289,15 +289,21 @@
    *
    * is_admin = true gives access to /admin.
    * If you do not uncomment this, /admin will not be available!
+   *
+   * WARNING: passwords should not be stored in plaintext in this file.
+   *          If you want to mitigate this, please install ep_hash_auth and
+   *          follow the section "secure your installation" in README.md
    */
 
   /*
   "users": {
     "admin": {
+      // "password" can be replaced with "hash" if you install ep_hash_auth
       "password": "changeme1",
       "is_admin": true
     },
     "user": {
+      // "password" can be replaced with "hash" if you install ep_hash_auth
       "password": "changeme1",
       "is_admin": false
     }