[TYPO3-english] TYPO3.ORG hacked

Erik Svendsen erik at linnearad.no
Mon Nov 17 08:45:26 CET 2008

Hello Dmitry,

> Hi!
> Erik Svendsen wrote:
>> Else md5 hashes are going to be a part of TYPO3 4.3 frontend
>> password, together with OpenID both in FE and BE-login. I have also
>> suggested to set default min character length both for FE and BE
>> password (may be overriden by the admin). The md5 hash solution
>> should be backported to 4.2. 4.0 and 4.1 has another login solution.
> Firsts, OpenID is different, it has nothing to do with md5. It is
> integrated to 4.3 and it is as secure as your DNS is secure and OpenID
> provider is secure.
I know very well the difference beetween OpenId and md5. I mentions both 
to show that there are work in progress to make this part of TYPO3 better.

> Secondly, TYPO3 should stay compatible and it means offering non—md5
> passwords for FE users by default. This is *not* insecure unless you
> loose your BE password! md5 passwords will be not secure if they fall
> into hacker's hands, it should be clearly understood. md5s are
> breakable! Another thing is that TYPO3 should provide a way to easily
> enable md5–hashed passwords. But this feature cannot come to 4.2 and
> 4.1 because new features are not allowed into maintenance releases.

Had you read some of my other post, you will see that I has stated that md5 
isn't secure with weak password more than one time. And I stating spesific 
that it's not an option to backport md5 hash to 4.1. There are working solutions 
as far as i know for newloginbox and md5 in 4.1. I don't know of any for 
felogin in 4.2. Thats why I wnated some kind of backporting. Of course it 
can be stated that you have to use another solution if you want md5 in 4.2.

Erik Svendsen

More information about the TYPO3-english mailing list