[TYPO3-project-4-3] t3sec_saltedpw as sysext?
Marcus Krause
marcus#exp2009 at t3sec.info
Tue Apr 28 19:26:01 CEST 2009
Michael Stucki schrieb am 04/28/2009 01:29 PM Uhr:
> Hi Masi,
>
> Martin Kutschker schrieb:
>> Michael Stucki schrieb:
>>> So what should be the default storage?
>>> a) Plaintext (like now)
>>> b) MD5
>>> c) Salted Hash
>>>
>>> 1) for FE
>>
>> Do we need JS for a) and b)? Or can I use SSL with a plain text password
>> transmission? Anyway, if I had to choose between b) and c) I'd choose c).
>
> We need JS for MD5 and salted hash. In case of a challenge-response
> authentication, even plaintext will require JS on the client side.
Some comments:
- JS is _not_ needed for salted hashes (but for rsaauth)
- salted hashes always requires the unmodified original password
- the library simply "compares" two strings: the original plain-text
password together with salted hashed password string
- the current extension includes an XCLASS for felogin, it backports the
new forget password handling (pending in core) in TYPO3 4.2
for 4.3 there are different ways to implement it:
- salted hashes as some kind of password storage object
- salted hashes as library to be explicitly called
I was planning some encryption libraries/classes:
- symmetric encryption (using PHP's mcrypt module; started but not
finished yet)
- asymmetric encryption (RSA; service? - native openssl binary and/or
php module)
- salted hashes
I think they would be generally useful, not only for one extension like
rsaauth.
-> Make such libraries/classes available for general usage.
Marcus.
More information about the TYPO3-project-4-3
mailing list