[TYPO3-dev] MD5 for FE-User password?
Malte Jansen
mail at maltejansen.de
Thu Nov 8 10:22:50 CET 2007
Thorsten Kahler schrieb:
> Hi Malte,
>
> Malte Jansen wrote on 07.11.2007 11:36 Uhr:
>>>> MD5 is not required for all sites.
>>>> Additionally "Send forgot password" would fail.
>>>> So I would appreciate a solution where the admin could decide, i.e.
>>>> leave the status as it is.
>>> there could be a general flag in installtool for usage of md5 or not.
>> Should not be done, because if you only have "guest account", you do not
>> know it how the password is saved. Than T3 would be like a
>> "password-spykit", which it is now...
>>
>> For all new version it should be forced, although the login-extensions
>> must be change.
>>
>
>
> I'm not sure what you mean with "guest account" but I guess you're talking
> about FE users, don't you?
>
> A FE user will /never/ know what happens to the information he submits. Even
> if the password is /stored/ as md5-hash it can be send or stored everywhere
> else in cleartext. And this issue is neither specific for a TYPO3
> installation, a TYPO3 version or TYPO3 at all. It's always a matter of trust
> in the website owner.
>
> TYPO3 can and should help admins / responsible persons to make their sites
> more trustworthy. So every step in that direction will help. But whatever
> changes may be done to the core, TYPO3 can't prevent website owners to get a
> grip on their user's passwords.
>
> Regards
> Thorsten
>
Hi,
"guest account" means a fe-account somewhere else, where you have no
admin rights.
You are right, you can get it from a post-vars. But you should not
provide any admin with a direct access via phpmyadmin or something else.
Many Admins only set up a CMS and they of no clue about POST and PHP.
If you force every T3-instance to use md5. Somebody has to spy the
password and make up some code for it. So he incurs a penalty and cannot
say, that it is not encrypted...
Malte
More information about the TYPO3-dev
mailing list