[TYPO3-english] how to convert md5 to salted password in typo3 4.7.7 ?

Steffen Gebert steffen.gebert at typo3.org
Wed Jan 16 08:32:19 CET 2013

Hash: SHA1

Dear joydeep,

to convert a password into a salted one, you need the clear-text password.
Except if you are still storing FE passwords in clear-text, this can
only be done (automatically) during log in. See the configuration of the
saltedpasswords extension in the Extension Manager.

However, there's one trick implemented in that extension: In the
Scheduler module, there's a task to convert password hashes into salted
ones. The trick that it does is that it takes the MD5 hash and treats it
as a password, applies crypt() to salt it and then stores it. Because of
the special prefix $M$ (IIRC), saltedpassword recognizes this format and
matches the password entered by the user against that after creating an
md5 hash over it. ([1] should explain that in detail)

Salted md5 hashes are sub-optimal: The possibility of collisions (two
passwords result in the same hash) is treated as too high, that's why
md5 isn't treated recommended anymore (not only by us, but by crypto
scientists). The advantage of this method however is that you don't have
too much trouble, if your password hashes are stolen, because hashes are
salted then.

So to sum up: Go to the Scheduler module and execute the saltedpasswords

Kind regards

- -- 
Steffen Gebert
TYPO3 Server Administration Team Member

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

I work for TYPO3 solely in my spare time. If you think that
my work helps you running your business, you are invited to
send me a donation via PayPal to this email address. Thanks

On 1/16/13 8:23 AM, joydeep at infoservices.in wrote:
> Hello list,
> I have upgraded a typo3 site to version 4.7.7.
> How can I convert the existing md5 password to salted password ?
> Thanks
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the TYPO3-english mailing list