Minor security issue / login bug


When a customer tries to create an account with a password that starts with ‘$2’ he will not be able to access the account.

Also, the password will be stored in clear text. That is a security risk if the customer is using the same password for other accounts. Someone with access to the database will be able to see the password and get into user’s accounts.

The cause of the problem is the condition of the getEncodedPassword method from Customer class.


Hello Florin,

Thanks for reporting the issue. We’ve added it to our backlog and will include a fix for it in one of future releases of Spryker Core.


The Forum Team