[Typo3] FE user password stored in cleartext ?
Francesco di Francia
darksky77 at email.it
Wed Jul 13 22:09:23 CEST 2005
Hi at all.
I'm just wondering if there's a way to encript FE user password, and
store in DB only the encripted string.
Maybe i missed something, but at the moment i can see each FE user
password in clear text! I think it's not a good thing for 2 main reasons:
1) Privacy. Typo3 site admin and superadmin can see an user password.
Maybe it's a passwords that he uses usually everywhere on the net, just
because he thinks that his/her password is stored in an encrypted string
in the DB e so admin cannot see it ( as it happens for the major part of
server side script ). They don't know that in Typo3 admin can see
his/her password.
2) Security. If someone gain access to typo3 DB then he gains access to
ALL password of ALL users, too.
Is KB MD5 FE Passwords extension the answer ? I'm only doubtful about
how the "hashing" of password can affect other extensions that share
login/pass data and autentication ( i.e., forum integration...it seems a
complete vbulletin integration is just on the way!! )
Thanks a lot,
Francesco
--
Net Wargaming Italia - La risorsa italiana per gli appassionati di
wargame e strategici a turni
http://www.netwargamingitalia.net
info at netwargamingitalia.net
darksky at netwargamingitalia.net
More information about the TYPO3-english
mailing list