Emails should not contain passwords in plain text

[cdbessig]

Emails, for one example, app\locale\en_US\template\email\account_new.html contain the user's password in plain text. This should be corrected throughout all locals to not send users passwords.

This is now considered best practice. This has always annoyed me that magento 1.9.4 never took care of this.

Now when I moved to openmage this was overwritten and I got the default functionality back. Since openmage is meant to be Long term support AND feature enhancement of M1, I would consider this as a valid feature request, or even a security issue (possible leak).

What I propose is in each locale change this line:

<strong>Password</strong>: {{htmlescape var=$customer.password}}

To something like this:

<strong>Password</strong>: -- What you entered when you signed up --

[colinmollenhour]

Thanks for opening this issue, Brian. We discussed this at length at #307 and I think came to a conclusion on what to do but it hasn't been executed on yet. If you can submit a PR that would be awesome!

[kkrieger85]

Shame on me. I assigned #307 and forgot about it.

PR coming today

[sreichel]

Fixed in #1021