[TYPO3-english] TYPO3.ORG hacked
marcel.douwstra at tros.nl
Tue Nov 18 14:12:23 CET 2008
I have to agree with this here.
From the arguements here it seems like MD5 is too easily dismissed as
an extra layer of security.
The possibility of dictionary attacks or brute-forcing does not change
An experienced burglar can definitely "brute force" my front door, but I
still prefer to lock it!
Martin Seebach schreef:
> Dmitry Dulepov wrote:
>> This is *not* insecure unless you
>> loose your BE password! md5 passwords will be not secure if they
>> fall into hacker's hands, it should be clearly understood. md5s are
> Properly salted MD5 passwords (using e.g. encryptionKey and the user ID)
> are *significantly* more safe than plaintext. Dictionary attacks would
> be impossible, and brute-force attacks would have to be run against
> every single password separately.
> And no, it's not "secure unless you loose your BE password". It's also
> not secure if someone gets access to your server and can talk to MySQL
> (shared hosting). Or you by mistake introduce a SQL-injection
> vulnerability in an extension. Or if someone compromises your backup.
> There are plenty of attack-vectors, so any extra layer of security
> should be a welcome thing, not something to be dismissed as "not
> necessary", especially in a situation where the exact proposed solution
> would have been a significant improvement.
> Martin Seebach
More information about the TYPO3-english