[TYPO3-dev] Password handling (Regarding youngest security issues)
Martin Kutschker
masi-no at spam-typo3.org
Fri Nov 14 23:19:36 CET 2008
ries van Twisk schrieb:
>
> On Nov 14, 2008, at 4:37 PM, Daniel Pšötzinger wrote:
>
>> Xavier Perseguers schrieb:
>>> Hi,
>>>
>>>>> Ok.. these are my thoughts.
>>>>>
>>>>> I'd be glad to get some feedback.
>>>>>
>>>>> Sebastian G.
>>>> Good idea:
>>>> the Install tool has this option allready "Encryption key:"
>>>> and its used for cHash atm.
>>>>
>>>> Maybe use crypt with a extra salt instead of md5 - because in theory
>>>> there are algorithm that can "calculate" some origns for a md5 hash
>>>> imho.
>>>
>>> The point for using md5 at all is that it is present as well as a
>>> JavaScript library which allow this cool feature of encrypting password
>>> the way to TYPO3 from the BE login (it should be, as said, the default
>>> option for FE login too). Changing the encryption means to find a
>>> compatible library in JS. As there is still no md6 library available, we
>>> may stick to sha1 which should be available as JS.
>>>
>>> Now another point is the challenge response from the BE login form in
>>> superchallenge mode for instance. The way it works is following:
>>>
>>> TYPO3 sends a challenge as part of the form, the "password" or hash that
>>> is sent back is
>>>
>>> hash = MD5( username :: MD5( password ) :: challenge )
>>>
>> The "extra" security you get by the JS Hash generation is that by
>> sniffing the HTTP you haven't the password itself. But by sniffing you
>> still have the possibility to login - since you only need to send what
>> you sniffed..
>>
>> But the extra salt check can be done serverside - I see no need for JS:
>>
>> From client (browser): sendedpassword=MD5( password ) is send like
>> it is now.
>>
>> On Server: Hash(sendedpassword,username-salt) is checked against the
>> database password.
>>
>
>
> You can also make sure you hide the password in the database
Or you can store the passwords somewhere else. If you don't have an LDAP
server around you can us a simple password daemon that handles the
authentication for you. The daemon's data files should of course NOT be
readable by the web server.
Masi
More information about the TYPO3-dev
mailing list