[TYPO3-english] TYPO3.ORG hacked

[Dmitry Dulepov]

Hi!

Erik Svendsen wrote:
> Else md5 hashes are going to be a part of TYPO3 4.3 frontend password,
> together with OpenID both in FE and BE-login. I have also suggested to
> set default min character length both for FE and BE password (may be
> overriden by the admin). The md5 hash solution should be backported to
> 4.2. 4.0 and 4.1 has another login solution.

Firsts, OpenID is different, it has nothing to do with md5. It is
integrated to 4.3 and it is as secure as your DNS is secure and
OpenID provider is secure.

Secondly, TYPO3 should stay compatible and it means offering non—md5
passwords for FE users by default. This is *not* insecure unless you
loose your BE password! md5 passwords will be not secure if they
fall into hacker's hands, it should be clearly understood. md5s are
breakable! Another thing is that TYPO3 should provide a way to
easily enable md5–hashed passwords. But this feature cannot come to
4.2 and 4.1 because new features are not allowed into maintenance
releases.

-- 
Dmitry Dulepov
TYPO3 translations support
My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
In the blog: http://typo3bloke.net/post-details/ghosts_in_typo3/