Integration of saltedpasswords as system extension
Passwords of backend users are stored as MD5 and weak passwords like "secret" can be recalculated using rainbow tables from that hash. Passwords of frontend users are not hashed at all.
The possibility of rainbow attacks is reduced by adding a random salt to the stored hash. The saltedpasswords extension can create hashes using the PHP crypt method or the phpass hasing framework. Thus the following hash variants can be used:
- MD5, hash statring with $1$
- Blowfish, hash starting with $2$ or $2a$
- phpass, hash starting with $P$
Since passwords are transfered now plain to the server, it's highly recommended and required to transfer that information via a secure channel like SSL/HTTPS or the rsaauth system extension.
Installing saltedpasswords using the extension manager, will give you some remarks and suggestions concerning your system scenario and which settings have to be adjusted.
The saltedpasswords extension can be activated and configurated for frontend and backend independently.
The saltedpasswords extension will modify the (hashed) passwords in the be_users and fe_users table. So, please test the behaviour first on a development environment - especially if you have custom extensions installed that perform direct queries to the mentioned tables and rely on that information.
SVN URI used for svn:externals:
(issue imported from #M12076)