[TYPO3-english] TYPO3.ORG hacked
Martin Seebach
mail at martinseebach.dk
Mon Nov 17 18:04:24 CET 2008
Dmitry Dulepov wrote:
> This is *not* insecure unless you
> loose your BE password! md5 passwords will be not secure if they
> fall into hacker's hands, it should be clearly understood. md5s are
> breakable!
Properly salted MD5 passwords (using e.g. encryptionKey and the user ID)
are *significantly* more safe than plaintext. Dictionary attacks would
be impossible, and brute-force attacks would have to be run against
every single password separately.
And no, it's not "secure unless you loose your BE password". It's also
not secure if someone gets access to your server and can talk to MySQL
(shared hosting). Or you by mistake introduce a SQL-injection
vulnerability in an extension. Or if someone compromises your backup.
There are plenty of attack-vectors, so any extra layer of security
should be a welcome thing, not something to be dismissed as "not
necessary", especially in a situation where the exact proposed solution
would have been a significant improvement.
Regards,
Martin Seebach
More information about the TYPO3-english
mailing list