[TYPO3-dev] Password handling (Regarding youngest security issues)
Christoph Blömer
chbloemer at gmx.net
Fri Nov 14 20:03:43 CET 2008
Martin Kutschker schrieb:
> Xavier Perseguers schrieb:
>
>> Now another point is the challenge response from the BE login form in
>> superchallenge mode for instance. The way it works is following:
>>
>> TYPO3 sends a challenge as part of the form, the "password" or hash that
>> is sent back is
>>
>> hash = MD5( username :: MD5( password ) :: challenge )
>>
>> where :: stands for concatenation.
>>
>> This way, the auth service is able to recreate this hash and compare it.
>> The password stored in the DB is the MD5 ( password ) part of the hash
>> function above.
>>
>> If you want to salt your password with a domain key, e.g., the
>> encryption key as proposed by Daniel, then you won't be able to
>> calculate this hash as the hash calculated from TYPO3 will be
>>
>> hash_TYPO3 = MD5( username :: MD5( salted-password ) :: challenge )
>>
>> which will force you to send the salt within the BE login form, which
>> you don't want of course.
>>
>
> Of course you don't.
>
> If we make the salt optional we can rely on SSL for transport security.
>
> If you have external password mechanisms (like LDAP authentication) you
> have also to turn superchallenge mode off. To me it is ok that I have to
> use SSL to get some extra protection within my storage system against
> data theft.
>
> Masi
>
First of all, Typo3.org needs https to prevent capturing our password.
Sending a md5 which is calculated by JS doesn't make sense at all.
Somebody can capture the md5 and send it to the server to login.
This would make sense only when the server sends a unique challenge key
for each login.
The Salt can be stored together with the encypted key in the password
table. It will still prevent someone from looking it up in a rainbow
table. And user can be copied to different typo3 systems.
I do not prefer the encryption key for the whole system.
A update to sha1 would be advisable.
And I realy hope our passwords were not stored in plain text like it is
with normal typo3 installations.
My 2 cents.
Christoph
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>
>
More information about the TYPO3-dev
mailing list