[TYPO3-dev] Password handling (Regarding youngest security issues)
Marcus Krause
marcus#exp2008 at t3sec.info
Fri Nov 14 17:56:26 CET 2008
Steffen Kamper schrieb:
> Hi,
>
> yes, it sounds good.
> Anyway we have an encryptionKey, which should be mandantory while
> install (may be create one from url as default), this can be used for
> encryption too: md5(password + encryptionKey) so it should be unique for
> every install instance.
Using the encryption key will require that it never changes; otherwise
login attempts will fail.
Therefore, we will use salts which then are stored together with the
password hash.
Salts will be different for every user records.
Marcus.
More information about the TYPO3-dev
mailing list