[TYPO3-dev] MD5 for FE-User password?
Thorsten Kahler
thorsten.kahler at dkd.de
Thu Nov 8 09:21:10 CET 2007
Hi Malte,
Malte Jansen wrote on 07.11.2007 11:36 Uhr:
>>> MD5 is not required for all sites.
>>> Additionally "Send forgot password" would fail.
>>> So I would appreciate a solution where the admin could decide, i.e.
>>> leave the status as it is.
>>
>> there could be a general flag in installtool for usage of md5 or not.
>
> Should not be done, because if you only have "guest account", you do not
> know it how the password is saved. Than T3 would be like a
> "password-spykit", which it is now...
>
> For all new version it should be forced, although the login-extensions
> must be change.
>
I'm not sure what you mean with "guest account" but I guess you're talking
about FE users, don't you?
A FE user will /never/ know what happens to the information he submits. Even
if the password is /stored/ as md5-hash it can be send or stored everywhere
else in cleartext. And this issue is neither specific for a TYPO3
installation, a TYPO3 version or TYPO3 at all. It's always a matter of trust
in the website owner.
TYPO3 can and should help admins / responsible persons to make their sites
more trustworthy. So every step in that direction will help. But whatever
changes may be done to the core, TYPO3 can't prevent website owners to get a
grip on their user's passwords.
Regards
Thorsten
--
Thorsten Kahler
thorsten.kahler at dkd.de
More information about the TYPO3-dev
mailing list