[TYPO3-dev] Password handling (Regarding youngest security issues)
Erik Svendsen
erik at linnearad.no
Sat Nov 15 00:14:59 CET 2008
Hello Sebastian,
It's not a problem with default rules, as long as there are the possibilities
to override them. But the existens of default rules that are somehow strong
enough and which clearly states the possible risk regarding weakening the
security. If we have default rules, people has to do an active choice to
lower the security. If we don't there will be a lot of sites where BE-users
(editors) which uses very weak password, because the Webmaster forgot to
set a minimum length.
My experience, working nearly 3 years with risk analysis, is that people
need a clear reminder about security, also people that should know.
And I don't think we really disagree.
> Hi Erik
>
>> But whatever algorithm, md5, salted md5, sha1, weak password with few
>> characters are breakable, so in addition to better hashing, minimum
>> password length should also be considered. Today it's possible to
>> have an admin user with password length of 1 (ONE) character as far
>> as I know. Minimum should be 9 characters (as default), regarding
>> Jochen's nice speech.
>>
> I was thinking about that too. But I think the system shouldn't
> regulate
> too much. The responsibility lies at the webmaster.
> My favorite idea is, to force BE-Users with admin rights to have a
> password of a certain minimum length.
>> Same regarding to FE password, it shouldn't be possible with fewer
>> than 8 characters, which a lot of sites use as standard.
>>
> I think this depends very much on what kind of site you have. It's
> lies in the responsibility of the webmaster and the users to take care
> of that. It would conflict with TYPO3's approach of flexibility if it
> set rules here.
>
> Kind regards,
> Sebastian G.
WBR,
Erik Svendsen
www.linnearad.no
More information about the TYPO3-dev
mailing list