[Typo3-dev] FE users' password security?
Arne Skjaerholt
arnsholt at broadpark.no
Mon Apr 4 18:37:00 CEST 2005
I've been working with the FE user stuff of Typo3 recently and I
recently found that FE user passwords are stored unencrypted in the DB
(as well as being provided in the clear in the user managment section of
the BE and in the $GLOBALS ["TSFE"]->fe_user->user array). Seeing how
the BE users' passwords are stored as MD5 hashes this has to be a
concious design decision, which prompts the question "Why?".
Apart from retrieval of passwords, I can come up with no good reason
tell to store passwords unencrypted (and even then the passwords should
at least be encrypted with a two-way encryption scheme like blowfish,
DES, AES or what-have-you). Besides, far better security is achieved
with one-way encrypted (and ideally, salted) passwords and simply
resetting the password if the user forgets the password.
Is there anything I have missed, or is the security of FE users'
passwords simply not a concern?
Arne
:wq
More information about the TYPO3-dev
mailing list