Bug #17987
closed
Integration of fe_users password encryption
0%
Description
using a simple flag
$TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5';
authentification takes care and in case of md5 compares to md5-value.
In BE eval of fe_users field password looks to this flag too, so saving user password in BE with flag set to md5 will save it to md5 value
(issue imported from #M7139)
Files
Updated by Søren Andersen about 16 years ago
Hi, I have been having some trouble with the way passwords are handled in TYPO3 4.2.
When I create a new fe-user the password will be md5 encrypted, but the "felogin" doesn't seem to handle encrypted passwords. In my installation I have mm_forum that let visitors create a user themselves, but these users are created with plain-text passwords.
So I'm in bit of a trouble.
I need to be able to modify users with plain-text password, atleast until mm_forum implements a way to let me decide if the password should be saved md5 encrypted.
At the same time I think that it's fine in regards to security, that feusers created in the backend have md5 encrypted passwords, but I need to know how i get the "felogin" extension to submit md5 encrypted passwords, so the login can be succesfull.
I have tried putting:
$TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5';
In localconf.php but it doesn't seem to make a difference. The users are still saved with md5 passwords.
Updated by Steffen Kamper about 16 years ago
the only way atm is to use the ext kb_md5fepw, felogin supports it.
There are discussions about general pw-handling so handling of md5 or other crypt may be become part of core in next versions.
Updated by Søren Andersen about 16 years ago
It seems kb_md5fepw is the way to go then, mm_forum should also support this.
But I think it would be weird to release a stable version of 4.2 that automatically uses md5 passwords, when you need to install kb_md5fepw to make the login work. If there isnt already there should be a way to disable the automatic creation of md5 passwords. And this should be the default setting until the loginbox handles these passwords as the default.
Updated by Søren Andersen about 16 years ago
kb_md5fepw didn't help. The passwords aren't md5 crypted. Do you use a salt with the md5 crypt? Either I'm doing something wrong or this is a bug that is critical enough to delay the release of 4.2, it's simply too complicated to handle front end users in 4.2, when it doens't ensure that passwords are treated consistently.
Updated by Dmitry Dulepov about 16 years ago
There should be a way to keep password unencrypted because it is used in "remind password" functionality by some sites. -1 to permanent encryption of the password.
Updated by Nikolas Hagelstein about 15 years ago
I think the 2remind password" feature is not a show stopper for encrypted passwords. Remind password can be replaced somthing like "reset password" or similar.
Updated by Chris topher almost 14 years ago
This has been solved by integrating saltedpasswords into the TYPO3 Core.