[TYPO3-dev] Password expiry and blacklists

[Peter Russ]

--- Original Nachricht ---
Absender:   Christian Lerrahn
Datum:       20.02.2012 05:12:
> On Wed, 15 Feb 2012 07:28:58 +0100
> Peter Russ<peter.russ at 4many.net>  wrote:
>
> [...]
>
>> In an enterprise you use LDAP. There the company's password policy is
>> defined. I see now need to add this into TYPO3. May be the extension
>> to connect to the LDAP could be improved to handle the few error
>> codes getting from LDAP correctly.
>
> Actually, I'm not sure that LDAP will always be the authentication
> system of choice. But even if an organisation employs LDAP, I consider
> the scenario where the website is integrated into the LDAP
> authentication scheme rather rare. This is certainly only the case for
> large organisations but will most likely never apply to anything small
> or medium size. Nevertheless, these organisations are often large
> enough already to have strict security policies which might stipulate
> password expiry.
>
>> Further in companies it is a security risk to store passwords in
>> TYPO3.
>
> This is not necessarily true. In fact, in the case which led me to
> develop something earlier, the client's policy did not allow for
> sensitive data in the web database but had separate authentication
> which required password expiry as a requirement for all IT systems in
> the organisation. If I was in charge, I'd probably also rather keep a
> web server entirely separate from the corporate network and only
> ban the use of the same username and password combinations as in the
> corporate network.
>
> To cut a long story short, despite your explanation, I still disagree
> with there being no need for such a functionality.
>

Sorry I've got you wrong mentioning "corporates environments" with SSO, 
key cards and AD. If you focusing on SME-market there might be a need.

Peter


-- 
Fiat lux! Docendo discimus.
_____________________________
uon GbR

http://www.uon.li
http://www.xing.com/profile/Peter_Russ