[TYPO3-english] Re: Re: Passwords in sha-512

[dje]

thank you for your answer.
we have a project to secure our information system which uses among others a typo3 instance with fe_users passwords hashed with md5 (no salt)...some of these fe_users are automatically generated from another database where the passwords are stored in plain text (bad!!).  This latter database is our reference, i.e. our users can only update their passwords here.
While looking for the best hashing method to use in all our information system, I'm having a look to the capabilities concerning authentification/hashing of the software we use. We use typo3 but also self-made/free software (web and standalone applications, with java, perl and VB.NET as programming langauages + apache auth to access our intranet) ...and now I'm on typo3

I didn't use typo3 for a long time, I was a bit lost at first. During my search, I read some posts about the "saltedpasswords" extension, but when searching in the extensions of typo3.org for this keyword, I didn't find anything. That's what I had a look at t3sec_saltedpw. After reading your post I went to the extension manager of my typo3 instance and found the saltedpasswords extension and its manual!! Thank you.

I installed it (with rsaauth + deactivate newloginbox and kb_md5fepw), configured it with phpass for BE and FE, put securityLevel to "rsa" for BE and FE in the install tool. All works fine It seems that we can use 3 hash methods (with salt) : phpass, MD5, Blowfish.

Tried phpass and MD5 with success.
Now, the next step is to understand how these hashing methods works (how the salt is generated, can we give them our own salts) as I can use the same hashes for my users in the two databases.
If you have some experiences with this kind of things (synchronizing users between a typo3 instance with salted passwords and another database)....

Thank you for your help.

Gérald
-- 
Typo3 4.5.25