[TYPO3-dev] Security Warning
Michael Scharkow
michael at underused.org
Wed Feb 8 08:50:02 CET 2006
Arne Skjaerholt wrote:
> I think his point is something I've brought up as well:
> the passwords of Typo3's frontend users are stored in plaintext in the
> db and provided through a field in the fe_user object ($GLOBALS
> ["TSFE" ]->fe_user->user ["password"] if memory serves me right). Some
> (me included) consider this a security problem. I feel that any password
> should be salted and hashed before being stored in the DB.
>
> Some prefer the ability to fetch passwords for people who forget them,
> but I'd rather just reset them to some random value and mail that to
> them. But then again, this is something that can be discussed at great
> length.
No need for discussion, it has all been done a long time ago:
http://typo3.org/extensions/repository/search/kb_md5fepw/
We can't make it a core feature yet because of the
holy-cow-of-backwards-compatibility I guess.
Cheers,
Michael
More information about the TYPO3-dev
mailing list