[Typo3] FE user password stored in cleartext ?
Francesco di Francia
darksky77 at email.it
Wed Jul 13 22:09:23 CEST 2005
Hi at all.
I'm just wondering if there's a way to encript FE user password, and
store in DB only the encripted string.
Maybe i missed something, but at the moment i can see each FE user
password in clear text! I think it's not a good thing for 2 main reasons:
1) Privacy. Typo3 site admin and superadmin can see an user password.
Maybe it's a passwords that he uses usually everywhere on the net, just
because he thinks that his/her password is stored in an encrypted string
in the DB e so admin cannot see it ( as it happens for the major part of
server side script ). They don't know that in Typo3 admin can see
2) Security. If someone gain access to typo3 DB then he gains access to
ALL password of ALL users, too.
Is KB MD5 FE Passwords extension the answer ? I'm only doubtful about
how the "hashing" of password can affect other extensions that share
login/pass data and autentication ( i.e., forum integration...it seems a
complete vbulletin integration is just on the way!! )
Thanks a lot,
Net Wargaming Italia - La risorsa italiana per gli appassionati di
wargame e strategici a turni
info at netwargamingitalia.net
darksky at netwargamingitalia.net
More information about the TYPO3-english