[TYPO3-project-4-3] saltedpasswords for v4.3

Steffen Ritter info at rs-websystems.de
Tue Jul 21 07:25:00 CEST 2009 

Steffen Kamper schrieb:
> Hi,
> 
> Oliver Hader schrieb:
> 
>> a) Stay with MD5 for creating admin users in the install tool:
>>
>> Since the install tool should not rely on an extension, we could stay
>> with MD5 here. Additionally the admins created in the install tool are
>> mostly "first admin users for the system" or "forgot passwort for admin
>> user" scenarios. I think we can expect that these users will log into
>> the backend after a short time where the password could be changed to
>> salted automatically. Furthermore I don't expect that many admin users
>> are created in the install tool.
>> We could add a note "password is still stored as MD5 but will be changed
>> when saltedpasswords is installed on first backend login".
>>
> 
> i would say yes. As there is an option for autoconvert (which is enabled 
> by default) the salted pw will be written with login.

To me, it seems the best too since it does not change the whole install 
tool behavoiur. One good thing is: creating Admin-Users via install tool 
sets lastlogin to zero (as it defaults to zero). So for increased 
security we might check against lastlogin=0 before converting if 
forceSalted is set. So Installtool-Passwords maybe converted even if 
forceSalted is set.

> And this is the problem i have while testing: it's never written, 
> because in my case the function compareUident is never used. I looked to 
> configuration of services, and there is no other service that can take 
> priority. Ext is installed, init is called.

What exactly does this mean. The Extensions not working, or updating the 
password itself? Did you encounter why?

> Second: in the EM configuration forceSalted and updatePasswd are 
> selected by default, but updatePasswd don't work together with 
> forceSalted. This looks very odd to me.

Indeed, this is confusing and makes no sense. For Security reasons 
forceSalted is the favour. For updating and so on updatePasswd is your 
choice. So... How to ship as Standard




Additionally I just found out, that in current svn version is a bug. Do 
not know when I introduced it. Will have a look. For the meantime, look 
at the init-function of the service. Check if Extension is active is 
commented out.

> vg Steffen

regards Steffen

More information about the TYPO3-project-4-3 mailing list