[TYPO3-bugs] Bug #1285: md5 password encryption for FE users

[Franz Holzinger]

Martin Kutschker a écrit :

>> And the current passwords must be md5 encrypted. But
>> should the old passwords be stored somewhere?
> 
> Why? You can convert all plain text passwords *once* into md5 hashes.

Many persons unfortunately tend to forget their passwords. You cannot
tell them any more their passwords. But you can autogenerate a password
like in sr_feuser_register. However then the code must be changed in
order to also have the original password stored somewhere, because it
must be sent in the email.
But it is not possible to let the customer choose a new password. You do
not know that this person is the one he claims to be, if he did not
login yet. Or maybe only a link could be sent to him, where he can
reenter a new password every time he clicks on this link. However
another person could catch this link, because emails are not very safe.
Or someone could see this email on his computer and log in. Maybe a
timeout is needed.

> If you dare you could write and UPDATE statement that converts all
> password entries that are not of length 32 to hashes.
Yes this would be possible. But where shall this code come into?

It would be fine to have also a common password generation function
inside of TYPO3 or at least a hook. Some persons do not like German
umlauts or something similar in passwords.

- Franz