[TYPO3-english] how to convert md5 to salted password in typo3 4.7.7 ?
joydeep at infoservices.in
joydeep at infoservices.in
Wed Jan 16 08:49:28 CET 2013
Dear Steffen,
many many thanks for this knowledgeable writting.
have a nice time
On Wed, 16 Jan 2013 08:32:19 +0100
Steffen Gebert <steffen.gebert at typo3.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear joydeep,
>
> to convert a password into a salted one, you need the clear-text password.
> Except if you are still storing FE passwords in clear-text, this can
> only be done (automatically) during log in. See the configuration of the
> saltedpasswords extension in the Extension Manager.
>
> However, there's one trick implemented in that extension: In the
> Scheduler module, there's a task to convert password hashes into salted
> ones. The trick that it does is that it takes the MD5 hash and treats it
> as a password, applies crypt() to salt it and then stores it. Because of
> the special prefix $M$ (IIRC), saltedpassword recognizes this format and
> matches the password entered by the user against that after creating an
> md5 hash over it. ([1] should explain that in detail)
>
> Salted md5 hashes are sub-optimal: The possibility of collisions (two
> passwords result in the same hash) is treated as too high, that's why
> md5 isn't treated recommended anymore (not only by us, but by crypto
> scientists). The advantage of this method however is that you don't have
> too much trouble, if your password hashes are stolen, because hashes are
> salted then.
>
> So to sum up: Go to the Scheduler module and execute the saltedpasswords
> task.
>
> Kind regards
> Steffen
>
> [1]
> http://www.slideshare.net/StephenKing/secure-password-storing-with-saltedpasswords-in-typo3
> - --
> Steffen Gebert
> TYPO3 Server Administration Team Member
>
> TYPO3 .... inspiring people to share!
> Get involved: http://typo3.org
>
> I work for TYPO3 solely in my spare time. If you think that
> my work helps you running your business, you are invited to
> send me a donation via PayPal to this email address. Thanks
>
> On 1/16/13 8:23 AM, joydeep at infoservices.in wrote:
> > Hello list,
> >
> > I have upgraded a typo3 site to version 4.7.7.
> > How can I convert the existing md5 password to salted password ?
> >
> > Thanks
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJQ9leDAAoJEIskG/rSlyw4mmUH/0dOomto9rYV3NzfFVa1VEKQ
> 5le0hji5qB5Wvk3zszwbQX7qA3Yq4bM/7bNkW9cphimmom532w4mzJ9m6Af6+t0I
> TTpWlT/rFkrhFT6YwinpOO5lYmjNYWAxV/e2YftFz46uh9uAg9FlAZMsYadI3GsG
> Gg0ATWy+sNeor+8oVGcodIjW9cKs9h+fIUSos5k6NfT/izIChrtDA4LKXxMmF8cB
> LlRLpealTQ6LlCjPJ/LLBWrWMGi2YeVi/pX9961BUmnPKFFPBguIq5UxULLR+/Ew
> zsoiYYXBy1mBggaqiagA5Z7lp7l4ejiQdzPms3+ITKK+O7jPoUzpHlyL0W8YQ+c=
> =DIEB
> -----END PGP SIGNATURE-----
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
More information about the TYPO3-english
mailing list