[TYPO3-dev] Password handling (Regarding youngest security issues)
Franz Koch
typo.removeformessage at fx-graefix.de
Fri Nov 14 19:55:50 CET 2008
Hi,
...
>
> Maybe not muc better, but we can also try using SHA1. I've seen
> JavaScript implementations, so it can be easily used - in *new*
> installations(!) - if we add a BE[passwordDigestAlgorithm] config that
> allows the values of "md5" (default) and "sha1" or any other digest
> algorithm with PHP and JavaScript implementations.
might random tokens with a lifetime of some seconds be an option as some
kind of salts?
Explanation:
- by a login-form request, Typo3 is generating a token (random string)
that's stored in the DB with a timestamp and the users IP/sessionkey
- this token is handed over to the login form and maybe used as salt for
encryption
- The auth-service is fetching the token for this IP/sessionkey from DB
and checks for it's lifetime
- if the token is still valid it can be used for authentication
requests, if not throw a error message and provide a new token
- to keep the DB size small, some cleanup methods might erase outdated
records from db (maybe everything older than 5 minutes)
Of course this is not solving the issue for storing the passwords - but
it's some additional security that'll prevent bot-attacks.
--
kind regards,
Franz Koch
More information about the TYPO3-dev
mailing list