[TYPO3-project-4-3] t3sec_saltedpw as sysext?
Xavier Perseguers
typo3 at perseguers.ch
Fri Apr 24 18:02:17 CEST 2009
Hi Michael,
>> I'm for integrating good extensions that allow
>> encrypting/hasing/salting/... the passwords. They do not need to be
>> readable.
>>
>> However, there's a problem with retrieving a lost password, especially
>> for FE users. Please see my post on dev list ("feuser, forgot password
>> and kb_md5fepw").
>
> You should forget about this feature. It was there in TYPO3 for some
> reason, but there is no other system I know of that sends you the
> current password when you forgot it. Usually, the password is changed to
> a random new one, and this will work fine with both authentication systems.
Actually this is not a good solution. Imagine I go to typo3.org and
chooses to reset *your* password. Of course this will not gain me access
to your account but this will ennoy you. I may even write a small bot
that does this for a few TYPO3 websites I found.
A valid solution with all "professional" websites is to send a one-time
valid link to a form that lets me reset my password if I wish so. This
way, I may simply forget the reset link and it will automatically be
invalidated after, say, 1 day.
> So what should be the default storage?
> a) Plaintext (like now)
> b) MD5
> c) Salted Hash
I do not like plaintext nor md5 (w/o salt) because as admin I do not
need to be able to read other's passwords. We all know that many users
are using the same password many times. This is not about having
something that is very strong as I may anyway read user's data (as admin
again), but simply prevent me to decrypt it without wanting it (if I
read records with phpMyAdmin, I do not need to clear-read any password)
> 1) for FE
> 2) for BE
both of them.
> RSA is left out of this voting because it affects the tranmission, not
> the storage of the password...
>
> OpenID should also not become the default because it depends on external
> systems...
I agree.
--
Xavier Perseguers
http://xavier.perseguers.ch/en
One contribution a day keeps the fork away
More information about the TYPO3-project-4-3
mailing list