[TYPO3-dev] Password handling (Regarding youngest security issues)

[Sebastian Gebhard]

Hi Erik

> But whatever algorithm, md5, salted md5, sha1, weak password with few 
> characters are breakable, so in addition to better hashing, minimum 
> password length should also be considered. Today it's possible to have 
> an admin user with password length of 1 (ONE) character as far as I 
> know. Minimum should be 9 characters (as default), regarding Jochen's 
> nice speech.

I was thinking about that too. But I think the system shouldn't regulate 
too much. The responsibility lies at the webmaster.
My favorite idea is, to force BE-Users with admin rights to have a 
password of a certain minimum length.

> Same regarding to FE password, it shouldn't be possible with fewer than 
> 8 characters, which a lot of sites use as standard.

I think this depends very much on what kind of site you have. It's lies 
in the responsibility of the webmaster and the users to take care of 
that. It would conflict with TYPO3's approach of flexibility if it set 
rules here.

Kind regards,
Sebastian G.