[TYPO3-project-4-3] saltedpasswords for v4.3

Sebastian Fischer sebastian at fischer.im
Sat Jun 20 12:20:53 CEST 2009


Hi Steffen,

Steffen Ritter wrote:
> Hi folks,
> 
> we finished "saltedpasswords" rewrite as sysext for TYPO3 4.3...
> We need you to test it on other systems.
> You'll find it at
>     https://svn.typo3.org/TYPO3v4/Extensions/t3sec_saltedpw/trunk
> attached is current T3X for easy testing...
> 
> Some facts:
> - on first login "oldformat" passwords are converted to salted if 
> "updatePasswd" is set (standard).

What happens if a password is already md5 crypted in the db?

> - Extension works on security levels "normal" and "rsa" in fe, for be 
> you have to use "rsa" for security reasons...
> - You can choose between using blowfish  and md5 to crypt your hash. 
> Currently this might be risky since there is no real portability since 
> blowfish not avaliable on every server... Since php 5.3 a own blowfish 
> build in library will be shipped which everytime will be used at 
> fallback if no syslib is installed.
> - We changed Hash-Format from a lib PHPasswd to a "generalized" and 
> really "portable" format, which will allow you to use TYPO3 user db for 
> other services (f.e.: smtp/pop3/imap-server, linux-login, samba shares 
> (even in windows over ldap), nfs/printerservices). The PHPasswd format 
> MAY be recognized if the old extension is available in ext-folder (not 
> installed) and "handleOldFormat" is set
> 
> 
> Following things we are currently awaiting (you cannot test yet):
>  - user creation in admin panel does hardcoded md5, so be shure not to 
> enable "forceSalted", which would only allow salted formats... I will 
> provide a patch within the next days, as soon as we have this ext in.

This would be crucial for using.

>  - the user setup Module has currently md5 hardcoded, Steffen Kamper 
> provided a patch, which allows to register your eval functions via Hook, 
> I attached this too...

Well agian ;) crucial

>  - for felogin "send new password" we are awaiting the patches in core 
> list to use the hook which is introduced there...
> 
> 
> regards
> 
> Steffen
> 

After reading i ask myself why didn't we have a feature like this until now.

Definitly a must have.

Greetings
Sebastian


More information about the TYPO3-project-4-3 mailing list