Task #103263
closedRemove max 100 size for backend fe_users password field in TYPO3 11 LTS
0%
Description
In TYPO3 11 LTS the fe_users password database field is varchar(100), which is to small if the user want to use a password from e.g. a passwort manager with size of 128.
The field should also be changed to varchar(255) as in TYPO3 12 LTS.
Updated by Torben Hansen 9 months ago
- Status changed from New to Needs Feedback
The field has been changed in v12 to support future PHP hashing algorithms (see #97221). However, TYPO3 stores the hash of the passwords, so using our current available hashing algorithms and hash algorithm configuration, there should be no problem with passwords as described, since if the password has a size of 128, the Argon2id hash should have a length, which fits into to current field size.
Additionally, TYPO3 11.5 is in priority bugfix state, so I doubt such a change would make it into v11. If needed individually, I suggest to extend the field size through an extension.
Updated by Christian Kuhn 8 months ago · Edited
This sounds fishy: Core never stores passwords as plain text, its always hashed and currently provided and supported hash algos don't need more than 100 chars.
If you hacked your instance and disabled password hashes to store plaintext passwords: Stop doing this! This is a critical security issue as soon as an attacker manages to retrieve a password through for instance an sql injection or some other attack vector like a not properly secured db.
Updated by Patrick Lenk 8 months ago
I do not hack my instances or disable hashing, please come down. maybe my description above is not clear. it is specifically about creating a fe-user via the backend. no password longer than 100 characters can be entered in the backend fe-user password field.
Updated by Patrick Lenk 8 months ago
- Subject changed from Also increase fe_users password database field size in TYPO3 11 LTS to Remove max 100 size for backend fe_users password field in TYPO3 11 LTS
Updated by Patrick Lenk 8 months ago
Patrick Lenk wrote:
In TYPO3 11 LTS the fe_users password database field is varchar(100), which is to small if the user want to use a password from e.g. a passwort manager with size of 128.
The field should also be changed to varchar(255) as in TYPO3 12 LTS.
My original description was wrong and misleading. the database field is not relevant here, but the config of the fe-user password field in the TCA, which is limited to 100.
Updated by Patrick Lenk 8 months ago
- Category changed from Frontend to Backend User Interface
Updated by Patrick Lenk 8 months ago
- Tags changed from fe_users, frontend, password to fe_users, backend, password
Updated by Torben Hansen 8 months ago
The described change will most likely not make it into v11. Please increase the value to 255 with $GLOBALS['TCA']['fe_users']['columns']['password']['config']['max'] = 255;
defined in Configuration/TCA/Overrides/fe_users.php
in your sitepackage.
Updated by Riccardo De Contardi 8 months ago
- Status changed from Needs Feedback to Closed
Sorry but I tend to close this issue as won't have on v.11 (which is in "Priority bugfix mode")
Please refer to Torben Hansen's comment n° 8
If you think that this is the wrong decision please open a new issue with a reference to this one.
Thank you and best regards