Feature #21152

Integration of saltedpasswords as system extension

Added by Oliver Hader over 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2009-09-29
Due date:
% Done:

0%

PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

Problem:
Passwords of backend users are stored as MD5 and weak passwords like "secret" can be recalculated using rainbow tables from that hash. Passwords of frontend users are not hashed at all.

Solution:
The possibility of rainbow attacks is reduced by adding a random salt to the stored hash. The saltedpasswords extension can create hashes using the PHP crypt method or the phpass hasing framework. Thus the following hash variants can be used:
  • MD5, hash statring with $1$
  • Blowfish, hash starting with $2$ or $2a$
  • phpass, hash starting with $P$

Since passwords are transfered now plain to the server, it's highly recommended and required to transfer that information via a secure channel like SSL/HTTPS or the rsaauth system extension.

Installing saltedpasswords using the extension manager, will give you some remarks and suggestions concerning your system scenario and which settings have to be adjusted.

The saltedpasswords extension can be activated and configurated for frontend and backend independently.

Notes:
The saltedpasswords extension will modify the (hashed) passwords in the be_users and fe_users table. So, please test the behaviour first on a development environment - especially if you have custom extensions installed that perform direct queries to the mentioned tables and rely on that information.

SVN URI used for svn:externals:
https://svn.typo3.org/TYPO3v4/Extensions/t3sec_saltedpw/tags/43beta1/

(issue imported from #M12076)


Related issues

Related to TYPO3 Core - Feature #14863: Switchable way of storing FE-User Passwords (clear-text / MD5) Closed 2005-07-14

History

#1 Updated by Oliver Hader over 10 years ago

Integrated via svn:externals in SVN Trunk (rev. 6067)

Also available in: Atom PDF