[Typo3] FE user password stored in cleartext ?

Francesco di Francia darksky77 at email.it
Wed Jul 13 22:09:23 CEST 2005


Hi at all.

I'm just wondering if there's a way to encript FE user password, and 
store in DB only the encripted string.
Maybe i missed something, but at the moment i can see each FE user 
password in clear text! I think it's not a good thing for 2 main reasons:

1) Privacy. Typo3 site admin and superadmin can see an user password. 
Maybe it's a passwords that he uses usually everywhere on the net, just 
because he thinks that his/her password is stored in an encrypted string 
in the DB e so admin cannot see it ( as it happens for the major part of 
server side script ). They don't know that in Typo3 admin can see 
his/her password.

2) Security. If someone gain access to typo3 DB then he gains access to 
ALL password of ALL users, too.

Is KB MD5 FE Passwords extension the answer ? I'm only doubtful about 
how the "hashing" of password can affect other extensions that share 
login/pass data and autentication ( i.e., forum integration...it seems a 
complete vbulletin integration is just on the way!! )

Thanks a lot,

Francesco


-- 
Net Wargaming Italia - La risorsa italiana per gli appassionati di 
wargame e strategici a turni
http://www.netwargamingitalia.net

info at netwargamingitalia.net
darksky at netwargamingitalia.net



More information about the TYPO3-english mailing list