[TYPO3-dev] Password handling (Regarding youngest security issues)
ries van Twisk
typo3 at rvt.dds.nl
Sat Nov 15 12:40:16 CET 2008
On Nov 15, 2008, at 6:05 AM, Sebastian Gebhard wrote:
> Martin Kutschker schrieb:
>> ries van Twisk schrieb:
>>> You can also make sure you hide the password in the database
>>
>> Or you can store the passwords somewhere else. If you don't have an
>> LDAP
>> server around you can us a simple password daemon that handles the
>> authentication for you. The daemon's data files should of course
>> NOT be
>> readable by the web server.
>>
>> Masi
>
> I think it's not important how you hide the salt or password. Even if
> you save the data on mars, if the script can access these data then
> the
> attacker also can to that if he has full access to the server.
>
> Imho all these proposals are not better then having a salted md5
> hashed
> password field beneath a field with the salt key for each user.
Sebastian,
the different is that in this case TYPO3 wouldn't manage the password
at all.
it's know once during creation of an account and send to 'the other
system'
And TYPO3 would only request if a person is allowed to access.
However for TYPO3 it would be impossible to get a list of passwords.
Ries
Note: In this particilar case it wouldn't helped a lot since a user
gained shell access (from what I understood) if a hacker has shell
access then simply re-format
and put some old backup back from where you are sure that the hacker
didn't had access.
More information about the TYPO3-dev
mailing list