[TYPO3-project-4-3] saltedpasswords for v4.3

Oliver Hader oliver at typo3.org
Mon Jul 20 22:13:48 CEST 2009 

Hi Steffen,

thanks for the changes you and others put into the saltedpasswords story!

Steffen Ritter schrieb:
> Following things we are currently awaiting (you cannot test yet):
>  - user creation in admin panel does hardcoded md5, so be shure not to
> enable "forceSalted", which would only allow salted formats... I will
> provide a patch within the next days, as soon as we have this ext in.

We have two possibilities here:

a) Stay with MD5 for creating admin users in the install tool:

Since the install tool should not rely on an extension, we could stay
with MD5 here. Additionally the admins created in the install tool are
mostly "first admin users for the system" or "forgot passwort for admin
user" scenarios. I think we can expect that these users will log into
the backend after a short time where the password could be changed to
salted automatically. Furthermore I don't expect that many admin users
are created in the install tool.
We could add a note "password is still stored as MD5 but will be changed
when saltedpasswords is installed on first backend login".

b) Add a "Security" section below the "Basic settings" in the install tool:

This new section could provide a more intelligent UI to define security
related issues in general, e.g.
* check whether openssl or HTTPS is available to use RSAAuth for backend
* automatically install and configure saltedpaswords if the admin wants it
* check for old weak encryption keys
* check for whatever else concerning security

What do others think about that?

>  - the user setup Module has currently md5 hardcoded, Steffen Kamper
> provided a patch, which allows to register your eval functions via Hook,
> I attached this too...

Okay, it should become a proper RFC then to be integrated into the Core.

>  - for felogin "send new password" we are awaiting the patches in core
> list to use the hook which is introduced there...

This patch is still pending as RFC #10017 in the Core List.


There are some other remarks concerning saltedpasswords of the curren
trunk version on Forge:

* remove the "suggestions" in ext_emconf.php
  -> only rsaauth is suggested, the others can be removed

* backend logins without RSA/HTTPS are possible
  -> I don't think it's a good idea to transfer backend passwords
     unencoded - we should enforce it somehow

* passwords using crypt-MD5 only have a length of 12 bytes
  -> is it possible/requred to use something "longer" here, e.g. SHA1,
     SHA256 or any other hash-algorithm?


olly
-- 
Oliver Hader
TYPO3 Release Manager 4.3

More information about the TYPO3-project-4-3 mailing list