[TYPO3-dev] Password handling (Regarding youngest security issues)

Fri Nov 14 17:05:03 CET 2008

Hello folks,

a while ago I was thinking about how the password handling could be 
improved and now in the light of recent events I remembered my thoughts. 
  I hope to get some feedback what you think about it.

Of course the most obvious change that is needed is to encrypt the 
passwords of the FE-Users. We all know there is the possibility to do 
this by extensions and this should absolutely be a native thing for 
future releases. But that's not the point I want to make.

As Jochen Weiland showed at T3CON (i was not there unfortunatelly) md5 
passwords are not 100% safe. So called rainbow tables collect a huge 
amount of passwords and their md5 hashes (including hole dictonaries but 
also cryptic looking passwords). Those services are public to use in the 
web and not hard to find. So everybody can easily revert a md5-hash into 
it's origin if it is listed in a rainbow table. (Try it with some of 
your passwords, you'll be surprised)

Now these tables work because md5 of course works always the same way. 
joh316 will always be hased to bacb98acf97e0b6112b1d1b650b84971 in every 
project. Not only TYPO3 but also every other project that uses md5 which 
are quite a lot.

Now if every project had it's "own" md5, the general rainbow tables 
would be ineffective trying to decrypt these hashes. An attacker would 
have to create a rainbow table for the certain project he wants to 
attack, what is a bit of work.

Now how do we get unique md5 behaviour for each project? This would be 
quite simple: Just prepend all passwords with a unique project key 
bevore hashing them.

So if Project1 has the key _rhlzu and Project 2 has the key _wbjvw then 
joh316 would be encrypted:

Project1:

joh316 => joh316_rhlzu => a0e4932e3c3b8e0921d6f3dd4b553790

Project2:

joh316 => joh316_wbjvw => 22c5174f8175575ddd95cce4858ef189

I think managing the key via the install tool would be a good idea. The 
install tool should propose a randomly generated key, but the user(i 
mean the person installing TYPO3) should have the possibiliy to give 
his/her own key, e.g. to make the project compatible with a second project.

Now what if you want to merge two projects including theirs users? Now 
that's always difficult because you have to care of double used 
usernames etc. Regarding passwords the minor project should take the key 
of the major one and all users of the minor project should get mails 
with new generated passwords. In the light of change for the users that 
merging to communities brings along this step should be accepted by the 
users, since they know "something good is going on".

Ok.. these are my thoughts.

I'd be glad to get some feedback.

Sebastian G.