[TYPO3-dev] Password handling (Regarding youngest security issues)
Niels Fröhling
niels.froehling at adsignum.com
Fri Nov 14 18:21:07 CET 2008
Steffen Kamper wrote:
> Hi,
>
> yes, it sounds good.
> Anyway we have an encryptionKey, which should be mandantory while
> install (may be create one from url as default), this can be used for
> encryption too: md5(password + encryptionKey) so it should be unique for
> every install instance.
>
In respect to this, I would like to hint that it's better to stay
compatible with http-auth digest, which means you can't use simply any
wild password-scrambler algorithm.
If you want to have http-auth still, you can use only subsets the
digest-scrambler. A possiblity would be:
HA1 = MD5(username:realm:password)
in which case "realm" represents your salt, but also the reable
access-point.
So just don't develop any wild algorithms that will break existing
communication-channel authentications.
I for example had implementation-problems for http-auth for BE-users,
because md5(pass) is completely useless for calculating the digest.
Anyway I don't want to start a discussion here about algorithms. From a
security stand-point of view obviously any web-site with access has
https, and I have a personal public/private key pair for each of them,
instead of a password. Yeah ...
It's wo different things if you can successfull prevent
man-in-the-middle breaches, or if you without better knowledge allow
insight into the password-tables.
:)
Ciao
Niels
More information about the TYPO3-dev
mailing list