[TYPO3-dev] Password handling (Regarding youngest security issues)

Fri Nov 14 19:08:35 CET 2008

Sebastian Gebhard schrieb:
> Hello folks,
> 
> a while ago I was thinking about how the password handling could be
> improved and now in the light of recent events I remembered my thoughts.
>  I hope to get some feedback what you think about it.
> 
> Of course the most obvious change that is needed is to encrypt the
> passwords of the FE-Users. We all know there is the possibility to do
> this by extensions and this should absolutely be a native thing for
> future releases. But that's not the point I want to make.
> 
> As Jochen Weiland showed at T3CON (i was not there unfortunatelly) md5
> passwords are not 100% safe. So called rainbow tables collect a huge
> amount of passwords and their md5 hashes (including hole dictonaries but
> also cryptic looking passwords). Those services are public to use in the
> web and not hard to find. So everybody can easily revert a md5-hash into
> it's origin if it is listed in a rainbow table. (Try it with some of
> your passwords, you'll be surprised)
> 
> Now these tables work because md5 of course works always the same way.
> joh316 will always be hased to bacb98acf97e0b6112b1d1b650b84971 in every
> project. Not only TYPO3 but also every other project that uses md5 which
> are quite a lot.
> 
> Now if every project had it's "own" md5, the general rainbow tables
> would be ineffective trying to decrypt these hashes. An attacker would
> have to create a rainbow table for the certain project he wants to
> attack, what is a bit of work.
> 
> Now how do we get unique md5 behaviour for each project? This would be
> quite simple: Just prepend all passwords with a unique project key
> bevore hashing them.
> 
> So if Project1 has the key _rhlzu and Project 2 has the key _wbjvw then
> joh316 would be encrypted:
> 
> Project1:
> 
> joh316 => joh316_rhlzu => a0e4932e3c3b8e0921d6f3dd4b553790
> 
> Project2:
> 
> joh316 => joh316_wbjvw => 22c5174f8175575ddd95cce4858ef189
> 
> I think managing the key via the install tool would be a good idea. The
> install tool should propose a randomly generated key, but the user(i
> mean the person installing TYPO3) should have the possibiliy to give
> his/her own key, e.g. to make the project compatible with a second project.
> 
> Now what if you want to merge two projects including theirs users? Now
> that's always difficult because you have to care of double used
> usernames etc. Regarding passwords the minor project should take the key
> of the major one and all users of the minor project should get mails
> with new generated passwords. In the light of change for the users that
> merging to communities brings along this step should be accepted by the
> users, since they know "something good is going on".
> 
> Ok.. these are my thoughts.

Maybe not muc better, but we can also try using SHA1. I've seen
JavaScript implementations, so it can be easily used - in *new*
installations(!) - if we add a BE[passwordDigestAlgorithm] config that
allows the values of "md5" (default) and "sha1" or any other digest
algorithm with PHP and JavaScript implementations.

Masi