[TYPO3-dev] Password handling (Regarding youngest security issues)
Martin Kutschker
masi-no at spam-typo3.org
Fri Nov 14 23:26:14 CET 2008
Niels Fröhling schrieb:
> Martin Kutschker wrote:
>>
>>
>> But that means you have to store subsets for all possible mechanisms.
>> HTTP auth uses only Digest-MD5 but for protocols like IMAP there are
>> many variants of the general idea. If you want to support them all
>> easily, you are back to the old plain password storing :(
>>
>
> Yes. An no. It just need to be a bi-directional encryption instead of
> uni-directional scrambling. Ideally it's asymetric. If you are able to
> tunnel IMAP through your authenticated channel, you can also
> super-impose your desired security-strength on IMAP. If not, you're
> stuck. Or you quit IMAP support.
Are we talking of the same? I don't want to tunnel IMAP. I only pointed
out that there is more than one way to implement a authentication based
on hashing. And each one them will require a different value in the DB
depending on the algorithm.
SASLv1 tried to do that, but for SASLv2 they simply stored plain
passwords. They probably use the old argument that a stored password
equivalent is not much better then the plain password.
But I have no problem if TYPO3 gets a hook/API for setting a user's
password. Then each authentication scheme can store it's own password
equivalent.
Masi
More information about the TYPO3-dev
mailing list