[TYPO3-english] t3sec_saltedpw

Marcus Krause marcus#exp2009 at t3sec.info
Fri Feb 20 22:58:32 CET 2009

Hi Steffen!

Steffen Gebert schrieb am 02/20/2009 09:55 PM Uhr:
> Hi list,
> I didn't read anything here about t3sec_saltedpw.
> I'm currently reflecting about using this EXT in my current project - better 
> start with salted passwords than let some thousands users have unsalted 
> ones..
> As there are several core developers, I'm quite sure that this extension has 
> a long term support or (better) will be integrated into core - right?
> Are there plans for 4.3?

Yes, have a look at http://forge.typo3.org/wiki/typo3v4-core/43_roadmap
! You will notice that "Salted MD5 passwords for frontend and backend"
are planned.
However, one important thing has to be done before:
"RSA authentication library/service"
Salted passwords extension depends on the fact that passwords sent are
plain-text ones (no challenges etc.). If you have a SSL/TLS secured
website, this is no problem. If you don't consider MITM-attacks as risk
for your specific website project, you are free to use it.
But mostly, websites aren't secured and MITM-attacks are considered to
be a potential problem.
That's why the transfer of credentials has to be fixed in a way that it
is transparently secured (RSA).

> As felogin and sr_feuserregister are supported, I think I will have no 
> problems with this extension - anybody already tried it?

Do you have a typo3.org account? If so, you are already using this
extension! This extension is used under the hood for typo3.org FE users.

You might have noticed that a lot well-known TYPO3 guys made
contributions to this extension. I therefore guess, the code is pretty

If you start to use t3sec_saltedpw now, and it later becomes part of the
Core, the concept and implementation most probably will not change.
You will continuously able to use salted passwords and no BE/FE user
would notice any change then.

If you are interested and able to contribute, there's a lot to be done.
A first start would be the todo list in the manual. MD5 is pretty much
hardcoded in the BE.

Anyone could help; just drop me a note and we could discuss/coordinate
the work that's waiting to get done. ;-)


More information about the TYPO3-english mailing list