Project

General

Profile

Actions

Feature #21152

closed

Integration of saltedpasswords as system extension

Added by Oliver Hader about 15 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2009-09-29
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

Problem:
Passwords of backend users are stored as MD5 and weak passwords like "secret" can be recalculated using rainbow tables from that hash. Passwords of frontend users are not hashed at all.

Solution:
The possibility of rainbow attacks is reduced by adding a random salt to the stored hash. The saltedpasswords extension can create hashes using the PHP crypt method or the phpass hasing framework. Thus the following hash variants can be used:
  • MD5, hash statring with $1$
  • Blowfish, hash starting with $2$ or $2a$
  • phpass, hash starting with $P$

Since passwords are transfered now plain to the server, it's highly recommended and required to transfer that information via a secure channel like SSL/HTTPS or the rsaauth system extension.

Installing saltedpasswords using the extension manager, will give you some remarks and suggestions concerning your system scenario and which settings have to be adjusted.

The saltedpasswords extension can be activated and configurated for frontend and backend independently.

Notes:
The saltedpasswords extension will modify the (hashed) passwords in the be_users and fe_users table. So, please test the behaviour first on a development environment - especially if you have custom extensions installed that perform direct queries to the mentioned tables and rely on that information.

SVN URI used for svn:externals:
https://svn.typo3.org/TYPO3v4/Extensions/t3sec_saltedpw/tags/43beta1/

(issue imported from #M12076)


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #14863: Switchable way of storing FE-User Passwords (clear-text / MD5)Closed2005-07-14

Actions
Actions #1

Updated by Oliver Hader about 15 years ago

Integrated via svn:externals in SVN Trunk (rev. 6067)

Actions

Also available in: Atom PDF