[TYPO3-dev] Password handling (Regarding youngest security issues)

Franz Koch typo.removeformessage at fx-graefix.de
Fri Nov 14 19:55:50 CET 2008


Hi,
...
> 
> Maybe not muc better, but we can also try using SHA1. I've seen
> JavaScript implementations, so it can be easily used - in *new*
> installations(!) - if we add a BE[passwordDigestAlgorithm] config that
> allows the values of "md5" (default) and "sha1" or any other digest
> algorithm with PHP and JavaScript implementations.

might random tokens with a lifetime of some seconds be an option as some 
kind of salts?

Explanation:

- by a login-form request, Typo3 is generating a token (random string) 
that's stored in the DB with a timestamp and the users IP/sessionkey
- this token is handed over to the login form and maybe used as salt for 
encryption
- The auth-service is fetching the token for this IP/sessionkey from DB 
and checks for it's lifetime
- if the token is still valid it can be used for authentication 
requests, if not throw a error message and provide a new token

- to keep the DB size small, some cleanup methods might erase outdated 
records from db (maybe everything older than 5 minutes)


Of course this is not solving the issue for storing the passwords - but 
it's some additional security that'll prevent bot-attacks.

-- 
kind regards,
Franz Koch




More information about the TYPO3-dev mailing list