[TYPO3-dev] Password handling (Regarding youngest security issues)

Niels Fröhling niels.froehling at adsignum.com
Fri Nov 14 22:27:46 CET 2008


Franz Koch wrote:
> Hi,
>   
>> Anyway I don't want to start a discussion here about algorithms. From a 
>> security stand-point of view obviously any web-site with access has 
>> https, and I have a personal public/private key pair for each of them, 
>> instead of a password. Yeah ...
>>
>> It's wo different things if you can successfull prevent 
>> man-in-the-middle breaches, or if you without better knowledge allow 
>> insight into the password-tables.
>>     
>
> so, without carrying your SSL-key around all the time you are not able 
> to do some quick changes on your websites on the go? I'm just curios.
>
>   
 That was a sarcastic comment about realism vs. idealism. Realistically 
a lot of "weak" authentication algorithms are sufficient to protect 
against man-in-the-middle attacks, but not against the case of a 
compromised system. Idealistically there should be no way that a 
compromised system can compromise you. That comes at a price. Security 
and it's complexity has to be justified in each case of application.

 An example: generally you write the mysql-password and user into a 
php-file. It's of not much issue generally because it's been taken care 
of, that this data is "sort-of" inaccessible. Nobody complains about a 
security-hole though.

 So that's why I suggest to rethink over the  justification of the 
next-to-be-implemented security system. And to consider the price.

 Ciao
    Niels





More information about the TYPO3-dev mailing list