[TYPO3-dev] Password handling (Regarding youngest security issues)
Martin Kutschker
masi-no at spam-typo3.org
Fri Nov 14 19:05:37 CET 2008
Marcus Krause schrieb:
> Steffen Kamper schrieb:
>> Hi,
>>
>> yes, it sounds good.
>> Anyway we have an encryptionKey, which should be mandantory while
>> install (may be create one from url as default), this can be used for
>> encryption too: md5(password + encryptionKey) so it should be unique for
>> every install instance.
>
> Using the encryption key will require that it never changes; otherwise
> login attempts will fail.
> Therefore, we will use salts which then are stored together with the
> password hash.
Which IMHO defeats the whole purpose. The salt must not be stored
together with the hash.
I wouldn't use the standard "encryptionKey" of TYPO3 but use a different
one (perhaps even different ones for BE and FE).
If we want to have different salts for different users I suggest storing
them somewhere in the file system (eg in a serialized array or within a
DBA).
Masi
More information about the TYPO3-dev
mailing list