[TYPO3-bugs] Bug #1285: md5 password encryption for FE users

[Martin Kutschker]

Franz Holzinger schrieb:
> Martin Kutschker a écrit :
> 
>>> And the current passwords must be md5 encrypted. But
>>> should the old passwords be stored somewhere?
>> Why? You can convert all plain text passwords *once* into md5 hashes.
> 
> Many persons unfortunately tend to forget their passwords. You cannot
> tell them any more their passwords. But you can autogenerate a password
> like in sr_feuser_register. However then the code must be changed in
> order to also have the original password stored somewhere, because it
> must be sent in the email.

IMHO the code that autogenerates the password should store it encrypted 
in the DB and send it via mail in one step.

> But it is not possible to let the customer choose a new password. You do
> not know that this person is the one he claims to be, if he did not
> login yet. Or maybe only a link could be sent to him, where he can
> reenter a new password every time he clicks on this link. However
> another person could catch this link, because emails are not very safe.
> Or someone could see this email on his computer and log in. Maybe a
> timeout is needed.

IBM (on their customer sites) let's you either enter the email address 
or the login. If you enter the address it will send you a mail with the 
login. If you enter the login it will send a mail to the address 
belonging to the login (in the DB!) with a link where you can enter a 
new password.

>> If you dare you could write and UPDATE statement that converts all
>> password entries that are not of length 32 to hashes.
 >
> Yes this would be possible. But where shall this code come into?

The update wizard of the installer?

> Some persons do not like German umlauts or something similar in passwords.

They are always tricky because of character set issues. Sticking to 
ASCII for logins and passwords is safer.

Masi