Feature #26786

Use a safe password hashing mechanism

Added by Christopher Hlubek about 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Must have
Category:
-
Target version:
Start date:
2011-05-12
Due date:
% Done:

100%

Estimated time:

Description

The current AccountFactory uses the generateSaltedMd5 method of the HashService. Since MD5 is considered to be not safe, we should switch to either sha1 or another method for password hashing (e.g. also use an hmac).


Related issues

Related to TYPO3 Core - Feature #28230: Add support for PBKDF2 to hashingClosedStefan Neufeind2011-07-15

Actions
#1

Updated by Christopher Hlubek about 10 years ago

I would suppose to use a standardized and proven way of creating password hashes for storage: see http://en.wikipedia.org/wiki/PBKDF2 and http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard

With a decent iteration count (> 10,000) it should be considered safe for now.

#2

Updated by Mr. Hudson about 10 years ago

Patch set 1 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#3

Updated by Mr. Hudson about 10 years ago

Patch set 2 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#4

Updated by Christopher Hlubek about 10 years ago

  • Status changed from New to Under Review
  • Assignee set to Christopher Hlubek

I implemented a PBKDF2 based password hashing and refactored the hash service to enable configurable password hashing strategies.

#5

Updated by Mr. Hudson about 10 years ago

Patch set 4 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#6

Updated by Mr. Hudson almost 10 years ago

Patch set 5 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#7

Updated by Mr. Hudson almost 10 years ago

Patch set 6 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#8

Updated by Christopher Hlubek almost 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Applied in changeset commit:ad4c9a7e4e6950c16c4a2cf138bafe69958af8ca.

Also available in: Atom PDF