[TYPO3-project-4-3] saltedpasswords for v4.3
Ingmar Schlecht
ingmar at typo3.org
Thu Sep 3 16:03:14 CEST 2009
Michael Stucki schrieb:
> Ingmar Schlecht schrieb:
>> Hi guys,
>>
>> Steffen Ritter schrieb:
>>> In a discussion with Steffen via Skype we turned out that
>>> saltedpasswords was not activated for be, since he does not use rsaauth.
>>>
>>> Marcus Krause and me once decided not to allow plain transmit of
>>> BE-Passwords, which would be needed for saltedpasswords without RSA.
>> I think plain text password transmitted over the wire should be allowed,
>> because that is actually still a good way when using HTTPS.
>
> Nope. Use rsaauth for secure transmission. There is really no need to
> allow plaintext transmission.
>
> The same applies for the frontend, but there we may keep the plaintext
> option in order of backwards compatibility. The important thing here is
> that encrypted transmission is also possible (and should become the
> default in future...).
Actually, for example in the frontend I do believe that having no
rsaauth but clear text password over HTTPS makes sense...
cheers
Ingmar
More information about the TYPO3-project-4-3
mailing list