[TYPO3-dev] Password handling (Regarding youngest security issues)
Sebastian Gebhard
sg at webagentur-gebhard.de
Fri Nov 14 17:05:03 CET 2008
Hello folks,
a while ago I was thinking about how the password handling could be
improved and now in the light of recent events I remembered my thoughts.
I hope to get some feedback what you think about it.
Of course the most obvious change that is needed is to encrypt the
passwords of the FE-Users. We all know there is the possibility to do
this by extensions and this should absolutely be a native thing for
future releases. But that's not the point I want to make.
As Jochen Weiland showed at T3CON (i was not there unfortunatelly) md5
passwords are not 100% safe. So called rainbow tables collect a huge
amount of passwords and their md5 hashes (including hole dictonaries but
also cryptic looking passwords). Those services are public to use in the
web and not hard to find. So everybody can easily revert a md5-hash into
it's origin if it is listed in a rainbow table. (Try it with some of
your passwords, you'll be surprised)
Now these tables work because md5 of course works always the same way.
joh316 will always be hased to bacb98acf97e0b6112b1d1b650b84971 in every
project. Not only TYPO3 but also every other project that uses md5 which
are quite a lot.
Now if every project had it's "own" md5, the general rainbow tables
would be ineffective trying to decrypt these hashes. An attacker would
have to create a rainbow table for the certain project he wants to
attack, what is a bit of work.
Now how do we get unique md5 behaviour for each project? This would be
quite simple: Just prepend all passwords with a unique project key
bevore hashing them.
So if Project1 has the key _rhlzu and Project 2 has the key _wbjvw then
joh316 would be encrypted:
Project1:
joh316 => joh316_rhlzu => a0e4932e3c3b8e0921d6f3dd4b553790
Project2:
joh316 => joh316_wbjvw => 22c5174f8175575ddd95cce4858ef189
I think managing the key via the install tool would be a good idea. The
install tool should propose a randomly generated key, but the user(i
mean the person installing TYPO3) should have the possibiliy to give
his/her own key, e.g. to make the project compatible with a second project.
Now what if you want to merge two projects including theirs users? Now
that's always difficult because you have to care of double used
usernames etc. Regarding passwords the minor project should take the key
of the major one and all users of the minor project should get mails
with new generated passwords. In the light of change for the users that
merging to communities brings along this step should be accepted by the
users, since they know "something good is going on".
Ok.. these are my thoughts.
I'd be glad to get some feedback.
Sebastian G.
More information about the TYPO3-dev
mailing list