[Typo3] Securing and Enhancing Typo3

Michael Stucki michael at typo3.org
Sat Apr 23 20:12:06 CEST 2005


Theo Schmidt wrote:

>> How should this improve the security?
> 
> i thought, it would be better if the access to the /typo3 folder and
> /install folder is additionally protected by a .htaccess file.
> Maybe i´m wrong?

Yes you are. By logging into the BE using a simple .htaccess form you will
submit the username and the password in clear-text.

TYPO3s own login form would be much more secure because it never sends the
password in clear-text. Instead it sends a "super-challenged" MD5 sum [1].

> At least, it improves the feeling of security... ;-)

Don't trust your feelings.

- michael

[1] MD5 of (MD5 of the password + a random string, sent by TYPO3)
    Since only the TYPO3 server knows what this random string was, nobody
    else can find out your secret password.
-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/



More information about the TYPO3-english mailing list