Feature #26786

Use a safe password hashing mechanism

Added by Christopher Hlubek about 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Must have
Category:
-
Target version:
Start date:
2011-05-12
Due date:
% Done:

100%


Description

The current AccountFactory uses the generateSaltedMd5 method of the HashService. Since MD5 is considered to be not safe, we should switch to either sha1 or another method for password hashing (e.g. also use an hmac).


Related issues

Related to TYPO3 Core - Feature #28230: Add support for PBKDF2 to hashing Closed 2011-07-15

Associated revisions

Revision ad4c9a7e (diff)
Added by Christopher Hlubek almost 9 years ago

[!!!][FEATURE] Implement a safe password hashing mechanism using PBKDF2

This change implements a configurable password hashing strategy for
the hash service and a PBKDF2 based password hashing strategy which
generates strong hashed passwords and uses multiple iterations for
brute-force protection.

To use the old salted MD5 hashing, the password hashing strategy
may be replaced in the Objects.yaml.

Change-Id: I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc
Resolves: #26786

History

#1 Updated by Christopher Hlubek about 9 years ago

I would suppose to use a standardized and proven way of creating password hashes for storage: see http://en.wikipedia.org/wiki/PBKDF2 and http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard

With a decent iteration count (> 10,000) it should be considered safe for now.

#2 Updated by Mr. Hudson about 9 years ago

Patch set 1 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#3 Updated by Mr. Hudson about 9 years ago

Patch set 2 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#4 Updated by Christopher Hlubek about 9 years ago

  • Status changed from New to Under Review
  • Assignee set to Christopher Hlubek

I implemented a PBKDF2 based password hashing and refactored the hash service to enable configurable password hashing strategies.

#5 Updated by Mr. Hudson about 9 years ago

Patch set 4 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#6 Updated by Mr. Hudson almost 9 years ago

Patch set 5 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#7 Updated by Mr. Hudson almost 9 years ago

Patch set 6 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

#8 Updated by Christopher Hlubek almost 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Applied in changeset commit:ad4c9a7e4e6950c16c4a2cf138bafe69958af8ca.

Also available in: Atom PDF