[TYPO3-english] TYPO3.ORG hacked

Dmitry Dulepov dmitry.dulepov at gmail.com
Sun Nov 16 22:58:18 CET 2008


Peter Russ wrote:
> What's about all the DNS trouble this year?

Not only... If your OpenID looks like
http://myopenid.openidprovider.com/ and the attacker manages to
override DNS on your network to send all requests for
myopenid.openidprovider.com to his own server, he can spoof the
identidy of the OpenID server. So if you are not careful enough, he
can get your password.

>> Secondly, TYPO3 should stay compatible and it means offering non—md5
>> passwords for FE users by default. This is *not* insecure unless you
>> loose your BE password! md5 passwords will be not secure if they
>> fall into hacker's hands, it should be clearly understood. md5s are
>> breakable!
> Sorry Dimitri, I didn't expect this answer:
> 1) Plain text in a plain unsecured transmission is UNSECURE -> Man in
> the middle ;-)

md5 *transmission* is not secure either. Challenge/response - yes,
secure. But it has nothing to do with stroing plain text passwords
in the database.

> 2) MD5 is NOT unsecure OR breakable: only week passwords are for
> nowerdays unsecure. Tomorrow it will be OpenID ;-)

You will be amazed what passwords people use :( If you force them to
8 characters min, 2 digits and one symbol, than it becomes secure.
Otherwise it is very typical to have "pa$$word" or "chinatown" or
whatever else guessable. md5 will not survive the dictionary attack.
Modern computers compute md5s very quickly. If the web site requires
8 characters password and keeps md5's, you need to perform an attack
on mostly used words consisting from 8 characters + combinations
like aaaaaaaa or qwerty123. Guess how long it will take to crack md5.

Dmitry Dulepov
TYPO3 translations support
My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
In the blog: http://typo3bloke.net/post-details/ghosts_in_typo3/

More information about the TYPO3-english mailing list