Feature #26786: Use a safe password hashing mechanism - TYPO3 Flow Base Distribution - TYPO3 Forge

CMS-Garden Composer Team Editorial Team Extension Comparison Extension Coordination Team Marketing Team Sandbox Screencast Team Server Team Translation Team (archived projects)BLE Project DEV3 flow3.typo3.org Logging Project ReStructured Text Infrastructure TYPO3 Flow TYPO3 Flow Base Distribution TYPO3.Eel TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Welcome Packages Applications TYPO3 Neos

Custom queries

Hierarchical Issues
Issues under review
Most wanted Bugfixes
Most wanted Features
My open issues
New & Unassigned
Open Bugs
Open Issues for 1.0.6
Open issues for 1.1.1
Open issues for 2.0
Open issues for 2.0.x
Recently modified

Watchers (1)

Andreas Förthner

Feature #26786

Use a safe password hashing mechanism

Added by Christopher Hlubek about 11 years ago. Updated almost 11 years ago.

Status:

Resolved

Priority:

Must have

Assignee:

Christopher Hlubek

Category:

Target version:

1.0 beta 1

Start date:

2011-05-12

Due date:

% Done:

100%

Estimated time:

Description

The current AccountFactory uses the generateSaltedMd5 method of the HashService. Since MD5 is considered to be not safe, we should switch to either sha1 or another method for password hashing (e.g. also use an hmac).

Related issues

Related to TYPO3 Core - Feature #28230: Add support for PBKDF2 to hashing

Closed

Stefan Neufeind

2011-07-15

Actions

Issue # Delay: days Cancel

History
Notes
Associated revisions

Updated by Christopher Hlubek almost 11 years ago

I would suppose to use a standardized and proven way of creating password hashes for storage: see http://en.wikipedia.org/wiki/PBKDF2 and http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard

With a decent iteration count (> 10,000) it should be considered safe for now.

Updated by Mr. Hudson almost 11 years ago

Patch set 1 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

Updated by Mr. Hudson almost 11 years ago

Patch set 2 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

Updated by Christopher Hlubek almost 11 years ago

Status changed from New to Under Review
Assignee set to Christopher Hlubek

I implemented a PBKDF2 based password hashing and refactored the hash service to enable configurable password hashing strategies.

Updated by Mr. Hudson almost 11 years ago

Patch set 4 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

Updated by Mr. Hudson almost 11 years ago

Patch set 5 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

Updated by Mr. Hudson almost 11 years ago

Patch set 6 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332

Updated by Christopher Hlubek almost 11 years ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset commit:ad4c9a7e4e6950c16c4a2cf138bafe69958af8ca.

Also available in: Atom PDF