[TYPO3-dev] Security Warning

[Christian Lerrahn]

On Wed, 08 Feb 2006 02:46:10 +0100
Arne Skjaerholt <arnsholt at broadpark.no> wrote:

> I think his point is something I've brought up as well:
> the passwords of Typo3's frontend users are stored in plaintext in the
> db and provided through a field in the fe_user object ($GLOBALS
> ["TSFE" ]->fe_user->user ["password"] if memory serves me right). Some
> (me included) consider this a security problem. I feel that any password
> should be salted and hashed before being stored in the DB.

Hm, you're talking about a completely different topic here. The thread is
about the db user and password from localconf.php. This password cannot
be hashed because it is used for authentication. If you hashed that, the
visitor would have to enter it first, to make Typo3 able to connect to
the db. This wouldn't make much sense with a website, would it? (forgive
me for the irony ;-))
 
Cheers,
Christian


-- 
    "Wenn  er  spricht,  so geschieht's; wenn er gebietet, so steht's
    da."
    
    Psalm 33,9
    
    Im Anfang war das Wort, und das Wort war bei Gott, und  Gott  war
    das  Wort. Dasselbe war im Anfang bei Gott. Alle Dinge sind durch
    dasselbe gemacht, und  ohne  dasselbe  ist  nichts  gemacht,  was
    gemacht ist.
    
    Johannes 1,1-3