[TYPO3-dev] Password handling (Regarding youngest security issues)
Martin Kutschker
masi-no at spam-typo3.org
Fri Nov 14 19:11:29 CET 2008
Xavier Perseguers schrieb:
> Now another point is the challenge response from the BE login form in
> superchallenge mode for instance. The way it works is following:
>
> TYPO3 sends a challenge as part of the form, the "password" or hash that
> is sent back is
>
> hash = MD5( username :: MD5( password ) :: challenge )
>
> where :: stands for concatenation.
>
> This way, the auth service is able to recreate this hash and compare it.
> The password stored in the DB is the MD5 ( password ) part of the hash
> function above.
>
> If you want to salt your password with a domain key, e.g., the
> encryption key as proposed by Daniel, then you won't be able to
> calculate this hash as the hash calculated from TYPO3 will be
>
> hash_TYPO3 = MD5( username :: MD5( salted-password ) :: challenge )
>
> which will force you to send the salt within the BE login form, which
> you don't want of course.
Of course you don't.
If we make the salt optional we can rely on SSL for transport security.
If you have external password mechanisms (like LDAP authentication) you
have also to turn superchallenge mode off. To me it is ok that I have to
use SSL to get some extra protection within my storage system against
data theft.
Masi
More information about the TYPO3-dev
mailing list