[TYPO3-dev] Password handling (Regarding youngest security issues)
Niels Fröhling
niels.froehling at adsignum.com
Fri Nov 14 22:27:46 CET 2008
Franz Koch wrote:
> Hi,
>
>> Anyway I don't want to start a discussion here about algorithms. From a
>> security stand-point of view obviously any web-site with access has
>> https, and I have a personal public/private key pair for each of them,
>> instead of a password. Yeah ...
>>
>> It's wo different things if you can successfull prevent
>> man-in-the-middle breaches, or if you without better knowledge allow
>> insight into the password-tables.
>>
>
> so, without carrying your SSL-key around all the time you are not able
> to do some quick changes on your websites on the go? I'm just curios.
>
>
That was a sarcastic comment about realism vs. idealism. Realistically
a lot of "weak" authentication algorithms are sufficient to protect
against man-in-the-middle attacks, but not against the case of a
compromised system. Idealistically there should be no way that a
compromised system can compromise you. That comes at a price. Security
and it's complexity has to be justified in each case of application.
An example: generally you write the mysql-password and user into a
php-file. It's of not much issue generally because it's been taken care
of, that this data is "sort-of" inaccessible. Nobody complains about a
security-hole though.
So that's why I suggest to rethink over the justification of the
next-to-be-implemented security system. And to consider the price.
Ciao
Niels
More information about the TYPO3-dev
mailing list