[TYPO3-dev] Password handling (Regarding youngest security issues)
Martin Kutschker
masi-no at spam-typo3.org
Fri Nov 14 21:54:49 CET 2008
Niels Fröhling schrieb:
> Steffen Kamper wrote:
>> Hi,
>>
>> yes, it sounds good.
>> Anyway we have an encryptionKey, which should be mandantory while
>> install (may be create one from url as default), this can be used for
>> encryption too: md5(password + encryptionKey) so it should be unique
>> for every install instance.
>>
>
> In respect to this, I would like to hint that it's better to stay
> compatible with http-auth digest, which means you can't use simply any
> wild password-scrambler algorithm.
>
> If you want to have http-auth still, you can use only subsets the
> digest-scrambler.
But that means you have to store subsets for all possible mechanisms.
HTTP auth uses only Digest-MD5 but for protocols like IMAP there are
many variants of the general idea. If you want to support them all
easily, you are back to the old plain password storing :(
> A possiblity would be:
>
> HA1 = MD5(username:realm:password)
>
> in which case "realm" represents your salt, but also the reable
> access-point.
> So just don't develop any wild algorithms that will break existing
> communication-channel authentications.
> I for example had implementation-problems for http-auth for BE-users,
> because md5(pass) is completely useless for calculating the digest.
As I have said, you will end up with pre-calculate data for every
authentication scheme you want to support.
Masi
More information about the TYPO3-dev
mailing list