[Typo3] FE user password stored in cleartext ?

JoH info at cybercraft.de
Wed Jul 13 22:32:20 CEST 2005

> I'm just wondering if there's a way to encript FE user password, and
> store in DB only the encripted string.
> Maybe i missed something, but at the moment i can see each FE user
> password in clear text! I think it's not a good thing for 2 main
> reasons:
> 1) Privacy. Typo3 site admin and superadmin can see an user password.
> Maybe it's a passwords that he uses usually everywhere on the net,
> just because he thinks that his/her password is stored in an
> encrypted string in the DB e so admin cannot see it ( as it happens
> for the major part of server side script ). They don't know that in
> Typo3 admin can see his/her password.

This is why something like a default password is a bad thing ;-)
And BTW: If you don't trust your admin you should reconsider the whole
security concept.

> 2) Security. If someone gain access to typo3 DB then he gains access
> to ALL password of ALL users, too.

Well - if someone gains access to the DB then he doesn't need a password
anymore ;-)

> Is KB MD5 FE Passwords extension the answer ? I'm only doubtful about
> how the "hashing" of password can affect other extensions that share
> login/pass data and autentication ( i.e., forum integration...it
> seems a complete vbulletin integration is just on the way!! )

You will have to check it out - but I think it's enough to make the field
for passwords in BE forms a password field instead if standard input.
So there's no possibility for someone finding out a users password just by
standing behind a BE-user/admin who is listing the FE-user table.
There's an extension available doing that.


Wenn man keine Ahnung hat: Einfach mal Fresse halten!
(If you have no clues: simply shut your knob sometimes!)
Dieter Nuhr, German comedian
openBC: http://www.openbc.com/go/invuid/Jo_Hasenau

More information about the TYPO3-english mailing list