[TYPO3-english] TYPO3.ORG hacked
erik at linnearad.no
Mon Nov 17 08:45:26 CET 2008
> Erik Svendsen wrote:
>> Else md5 hashes are going to be a part of TYPO3 4.3 frontend
>> password, together with OpenID both in FE and BE-login. I have also
>> suggested to set default min character length both for FE and BE
>> password (may be overriden by the admin). The md5 hash solution
>> should be backported to 4.2. 4.0 and 4.1 has another login solution.
> Firsts, OpenID is different, it has nothing to do with md5. It is
> integrated to 4.3 and it is as secure as your DNS is secure and OpenID
> provider is secure.
I know very well the difference beetween OpenId and md5. I mentions both
to show that there are work in progress to make this part of TYPO3 better.
> Secondly, TYPO3 should stay compatible and it means offering non—md5
> passwords for FE users by default. This is *not* insecure unless you
> loose your BE password! md5 passwords will be not secure if they fall
> into hacker's hands, it should be clearly understood. md5s are
> breakable! Another thing is that TYPO3 should provide a way to easily
> enable md5–hashed passwords. But this feature cannot come to 4.2 and
> 4.1 because new features are not allowed into maintenance releases.
Had you read some of my other post, you will see that I has stated that md5
isn't secure with weak password more than one time. And I stating spesific
that it's not an option to backport md5 hash to 4.1. There are working solutions
as far as i know for newloginbox and md5 in 4.1. I don't know of any for
felogin in 4.2. Thats why I wnated some kind of backporting. Of course it
can be stated that you have to use another solution if you want md5 in 4.2.
More information about the TYPO3-english