[TYPO3-dev] Password handling (Regarding youngest security issues)

Martin Kutschker masi-no at spam-typo3.org
Fri Nov 14 23:26:14 CET 2008


Niels Fröhling schrieb:
> Martin Kutschker wrote:
>>
>>
>> But that means you have to store subsets for all possible mechanisms.
>> HTTP auth uses only Digest-MD5 but for protocols like IMAP there are
>> many variants of the general idea. If you want to support them all
>> easily, you are back to the old plain password storing :(
>>   
> 
> Yes. An no. It just need to be a bi-directional encryption instead of
> uni-directional scrambling. Ideally it's asymetric. If you are able to
> tunnel IMAP through your authenticated channel, you can also
> super-impose your desired security-strength on IMAP. If not, you're
> stuck. Or you quit IMAP support.

Are we talking of the same? I don't want to tunnel IMAP. I only pointed
out that there is more than one way to implement a authentication based
on hashing. And each one them will require a different value in the DB
depending on the algorithm.

SASLv1 tried to do that, but for SASLv2 they simply stored plain
passwords. They probably use the old argument that a stored password
equivalent is not much better then the plain password.

But I have no problem if TYPO3 gets a hook/API for setting a user's
password. Then each authentication scheme can store it's own password
equivalent.

Masi




More information about the TYPO3-dev mailing list