[TYPO3-english] TYPO3.ORG hacked

Dmitry Dulepov dmitry.dulepov at gmail.com
Sun Nov 16 21:29:10 CET 2008


Erik Svendsen wrote:
> Else md5 hashes are going to be a part of TYPO3 4.3 frontend password,
> together with OpenID both in FE and BE-login. I have also suggested to
> set default min character length both for FE and BE password (may be
> overriden by the admin). The md5 hash solution should be backported to
> 4.2. 4.0 and 4.1 has another login solution.

Firsts, OpenID is different, it has nothing to do with md5. It is
integrated to 4.3 and it is as secure as your DNS is secure and
OpenID provider is secure.

Secondly, TYPO3 should stay compatible and it means offering non—md5
passwords for FE users by default. This is *not* insecure unless you
loose your BE password! md5 passwords will be not secure if they
fall into hacker's hands, it should be clearly understood. md5s are
breakable! Another thing is that TYPO3 should provide a way to
easily enable md5–hashed passwords. But this feature cannot come to
4.2 and 4.1 because new features are not allowed into maintenance

Dmitry Dulepov
TYPO3 translations support
My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
In the blog: http://typo3bloke.net/post-details/ghosts_in_typo3/

More information about the TYPO3-english mailing list