[TYPO3-dev] salted passwords +hashing method

Georg Schönweger georg.schoenweger at gmail.com
Fri Jul 15 09:50:37 CEST 2011


Hi Steffen,

thanks for your clarification :) .. maybe the manual/extension should be
changed in further version so that the *default/recommended* method
corresponds to each other. IMO MD5 would be ok as default hashing
method. Blowfish and phpass are *special* hashing methods as you
described below.

- Georg

Am 15.07.2011 09:21, schrieb Steffen Ritter:
> Am 15.07.2011 09:14, schrieb Georg Schönweger:
>> Hi all,
>>
>> what's the recommended hashing method setting for Typo3 4.5? In
>> /saltedpasswords /manual i read "phpass: *default and recommended
>> setting*" .. but in Configuration (Extension Manager) the default method
>> is "MD5 salted hashing". So which method is recommended?
>
> well this resides in a "little conflict" of us two extension authors
> in what would be the most use target ;)
>
> - the most secure way is blowfish
>
> - the most exchangable way between several php based online systems
> (drupal, wordpress) will be phppass
>
> - the most systeminterchangable will be md5/blowfish (i.e. crypt api)
> as these passwords could be used for syslogin at linux/mac/unix/ldap,
> mysql, ftp etc... (all what uses standard authentification method on
> unix). this is becaused it uses the systems crypt library...
>
> Furthermore - if you have an up to date system, you easily could
> switch to higher encryption standards...
>
>
> I fought for system-interchangable, Marcus for php-interchangable :)
> md5 ist default because it is the only one crypt variant which on
> every php 5.2 system will be available.
>
> regards
>
> Stefffen
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-dev




More information about the TYPO3-dev mailing list