[TYPO3-project-4-3] saltedpasswords for v4.3
Steffen Ritter
info at rs-websystems.de
Mon Jul 20 22:27:11 CEST 2009
Oliver Hader schrieb:
> * remove the "suggestions" in ext_emconf.php
> -> only rsaauth is suggested, the others can be removed
OK
> * backend logins without RSA/HTTPS are possible
> -> I don't think it's a good idea to transfer backend passwords
> unencoded - we should enforce it somehow
WRONG, have a look at the div class. Extension is only enabled in
TYPO3_MODE=BE if rsauath is enabled.
> * passwords using crypt-MD5 only have a length of 12 bytes
> -> is it possible/requred to use something "longer" here, e.g. SHA1,
> SHA256 or any other hash-algorithm?
>
You can use Blowfish. Look at the Extension Settings.
For all other stuff, ask the people maintining linux libcrypt.c :) PHP
implements/includes it. So we are always as safe as our unix login
encryption class provides us the routines or mechanism.
Since glibc 2.7 the crypt function is enabled to make SHA-256 and
SHA-512. Will be short hand since the php function will integrate it.
regards
Steffen
More information about the TYPO3-project-4-3
mailing list