[TYPO3-dev] Password handling (Regarding youngest security issues)
Sebastian Gebhard
sg at webagentur-gebhard.de
Sat Nov 15 12:05:39 CET 2008
Martin Kutschker schrieb:
> ries van Twisk schrieb:
>> You can also make sure you hide the password in the database
>
> Or you can store the passwords somewhere else. If you don't have an LDAP
> server around you can us a simple password daemon that handles the
> authentication for you. The daemon's data files should of course NOT be
> readable by the web server.
>
> Masi
I think it's not important how you hide the salt or password. Even if
you save the data on mars, if the script can access these data then the
attacker also can to that if he has full access to the server.
Imho all these proposals are not better then having a salted md5 hashed
password field beneath a field with the salt key for each user.
More information about the TYPO3-dev
mailing list