[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption
Ernesto Baschny [cron IT]
ernst at cron-it.de
Tue Jan 15 18:59:21 CET 2008
Ingmar Schlecht wrote: on 14.01.2008 21:36:
>> 1) is the salt string always the same and is saved in configuration
>> (like the encryption key that is already present) ? Or should it be a
>> random generated, saved in each record? (
> (...)
> It could be both, either something like the encryption key or something
> that is generated for each password and just saved along with the
> password in another DB table field.
>
> However, using the encryption key is not such a good idea, because just
> imagine that you accidentally change it: Then all your FE user passwords
> get invalid! Therefore it is better to save the salt along with the
> passwords.
>
> You can also store the password in the same field you store the MD5 in
> (the "password" field of the fe_users table), maybe separated by an "@".
>
> Example:
> a2md56fhf7zfmd5rhzfdmd5du4 at some_random_salt_string_for_this_password
Reusing the same salt for all passwords on one site (even if it is the
"encryption key") is probably the same security as not using any salt at
all. It needs to be "random" for every passwort, because only then you
have the security that the same password won't "ever" have the same hash.
Why not use a method for storing the salt + hash that is compatible with
what we have in the Unix world (passwd) and which can be achieved by
"pure" PHP methods:
$1$6ki0A8QD$BNqCdjMqQF8xeryq9odmb0
$1 = md5 with 8 character salt
The encrypted password can be obtained with the php "crypt()" method:
http://www.php.net/crypt
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list