[TYPO3-dev] Password handling (Regarding youngest security issues)
Erik Svendsen
erik at linnearad.no
Fri Nov 14 20:24:27 CET 2008
Hello Sebastian,
> As Jochen Weiland showed at T3CON (i was not there unfortunatelly) md5
> passwords are not 100% safe. So called rainbow tables collect a huge
> amount of passwords and their md5 hashes (including hole dictonaries
> but also cryptic looking passwords). Those services are public to use
> in the web and not hard to find. So everybody can easily revert a
> md5-hash into it's origin if it is listed in a rainbow table. (Try it
> with some of your passwords, you'll be surprised)
Thats correct, but to be a bit more presize (I was there). The password until
6 and 7 characters are pretty unsecure even if they are md5 hashed. Password
of 9 characters and more are pretty secure if they are random (not normal
words) and hashed. I never use password with less than 12-14 characters on
websites where security is important, for instance Admin user in TYPO3.
This doesn't mean that a better solution should be the goal, both OpenID
(which you can use in FE today) and/or better algorithm should be used.
But whatever algorithm, md5, salted md5, sha1, weak password with few characters
are breakable, so in addition to better hashing, minimum password length
should also be considered. Today it's possible to have an admin user with
password length of 1 (ONE) character as far as I know. Minimum should be
9 characters (as default), regarding Jochen's nice speech.
Same regarding to FE password, it shouldn't be possible with fewer than 8
characters, which a lot of sites use as standard.
WBR,
Erik Svendsen
www.linnearad.no
More information about the TYPO3-dev
mailing list