[TYPO3-dev] Security Warning
Arne Skjaerholt
arnsholt at broadpark.no
Wed Feb 8 02:46:10 CET 2006
I think his point is something I've brought up as well:
the passwords of Typo3's frontend users are stored in plaintext in the
db and provided through a field in the fe_user object ($GLOBALS
["TSFE" ]->fe_user->user ["password"] if memory serves me right). Some
(me included) consider this a security problem. I feel that any password
should be salted and hashed before being stored in the DB.
Some prefer the ability to fetch passwords for people who forget them,
but I'd rather just reset them to some random value and mail that to
them. But then again, this is something that can be discussed at great
length.
Arne
:wq
More information about the TYPO3-dev
mailing list