[Typo3] Securing and Enhancing Typo3
Michael Stucki
michael at typo3.org
Sat Apr 23 20:12:06 CEST 2005
Theo Schmidt wrote:
>> How should this improve the security?
>
> i thought, it would be better if the access to the /typo3 folder and
> /install folder is additionally protected by a .htaccess file.
> Maybe i´m wrong?
Yes you are. By logging into the BE using a simple .htaccess form you will
submit the username and the password in clear-text.
TYPO3s own login form would be much more secure because it never sends the
password in clear-text. Instead it sends a "super-challenged" MD5 sum [1].
> At least, it improves the feeling of security... ;-)
Don't trust your feelings.
- michael
[1] MD5 of (MD5 of the password + a random string, sent by TYPO3)
Since only the TYPO3 server knows what this random string was, nobody
else can find out your secret password.
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-english
mailing list