From PhpCOIN Documentation
There are three client passwords that are stored in the phpCOIN database. They are:
- The client's password for logging into the phpCOIN package,
- The FTP password for the client, and
- The client's control panel password.
phpCOIN Login Password
This is the password the user fills in when the client account is created. Usually by the order process, or by an admin creating the clients manually. Note the following:
- This password is one way encrypted and cannot be read from the database in a human readable form.
- This password in NO way can be retrieved for display in a readable form, nor can it be sent to the client.
So lets make it clear that this password is secure. Placing the phpCOIN package under the https: protocol will ensure encryption from the client browser to the server, but that is a choice the admin must make.
FTP and Control Panel Password
The intent of these password fields was to provide an initial password for the activation email that gets sent to new clients. The phpCOIN package will automatically create a random string for the initial values when the domain entry is created. Note the following:
- The original design intention was that these passwords would be changed by the user to something that matched their way of doing things. Therefore, the intent was that these passwords would have a very short life cycle.
- At no time were these fields intended to store a "current" password as they are NOT encrypted (so they can be sent to client). However, after repeated questions from users wanting to use these for more than intended, and after repeated warnings against it, an option was added to save the client's phpCOIN password non-encrypted into these fields.
So again lets make it clear that if you choose to use these fields beyond the intended use (to simply populate the first activation email), then you, the admin of your phpCOIN package, are implying that you are aware of the risk of non-encrypted passwords in a MySQL database and you do so at your own risk.