[TYPO3-english] TYPO3.ORG hacked

Martin Seebach mail at martinseebach.dk
Mon Nov 17 18:04:24 CET 2008

Dmitry Dulepov wrote:

> This is *not* insecure unless you
> loose your BE password! md5 passwords will be not secure if they
> fall into hacker's hands, it should be clearly understood. md5s are
> breakable!

Properly salted MD5 passwords (using e.g. encryptionKey and the user ID) 
are *significantly* more safe than plaintext. Dictionary attacks would 
be impossible, and brute-force attacks would have to be run against 
every single password separately.

And no, it's not "secure unless you loose your BE password". It's also 
not secure if someone gets access to your server and can talk to MySQL 
(shared hosting). Or you by mistake introduce a SQL-injection 
vulnerability in an extension. Or if someone compromises your backup.

There are plenty of attack-vectors, so any extra layer of security 
should be a welcome thing, not something to be dismissed as "not 
necessary", especially in a situation where the exact proposed solution 
would have been a significant improvement.

Martin Seebach

More information about the TYPO3-english mailing list