[TYPO3-english] how to convert md5 to salted password in typo3 4.7.7 ?

Steffen Gebert steffen.gebert at typo3.org
Wed Jan 16 08:32:19 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear joydeep,

to convert a password into a salted one, you need the clear-text password.
Except if you are still storing FE passwords in clear-text, this can
only be done (automatically) during log in. See the configuration of the
saltedpasswords extension in the Extension Manager.

However, there's one trick implemented in that extension: In the
Scheduler module, there's a task to convert password hashes into salted
ones. The trick that it does is that it takes the MD5 hash and treats it
as a password, applies crypt() to salt it and then stores it. Because of
the special prefix $M$ (IIRC), saltedpassword recognizes this format and
matches the password entered by the user against that after creating an
md5 hash over it. ([1] should explain that in detail)

Salted md5 hashes are sub-optimal: The possibility of collisions (two
passwords result in the same hash) is treated as too high, that's why
md5 isn't treated recommended anymore (not only by us, but by crypto
scientists). The advantage of this method however is that you don't have
too much trouble, if your password hashes are stolen, because hashes are
salted then.

So to sum up: Go to the Scheduler module and execute the saltedpasswords
task.

Kind regards
Steffen

[1]
http://www.slideshare.net/StephenKing/secure-password-storing-with-saltedpasswords-in-typo3
- -- 
Steffen Gebert
TYPO3 Server Administration Team Member

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

I work for TYPO3 solely in my spare time. If you think that
my work helps you running your business, you are invited to
send me a donation via PayPal to this email address. Thanks

On 1/16/13 8:23 AM, joydeep at infoservices.in wrote:
> Hello list,
> 
> I have upgraded a typo3 site to version 4.7.7.
> How can I convert the existing md5 password to salted password ?
> 
> Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQ9leDAAoJEIskG/rSlyw4mmUH/0dOomto9rYV3NzfFVa1VEKQ
5le0hji5qB5Wvk3zszwbQX7qA3Yq4bM/7bNkW9cphimmom532w4mzJ9m6Af6+t0I
TTpWlT/rFkrhFT6YwinpOO5lYmjNYWAxV/e2YftFz46uh9uAg9FlAZMsYadI3GsG
Gg0ATWy+sNeor+8oVGcodIjW9cKs9h+fIUSos5k6NfT/izIChrtDA4LKXxMmF8cB
LlRLpealTQ6LlCjPJ/LLBWrWMGi2YeVi/pX9961BUmnPKFFPBguIq5UxULLR+/Ew
zsoiYYXBy1mBggaqiagA5Z7lp7l4ejiQdzPms3+ITKK+O7jPoUzpHlyL0W8YQ+c=
=DIEB
-----END PGP SIGNATURE-----


More information about the TYPO3-english mailing list