[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

[Ingmar Schlecht]

Hi Steffen,

great you're having a solution to this one as well!

There's just one point I'd like to add: The security team is currently 
planning to use a "salt" string for the MD5 generation for Backend 
passwords and this is definitely something that should be used here as 
well. See http://en.wikipedia.org/wiki/Salt_%28cryptography%29

The point is basically that you don't just do md5($password) but instead 
md5($password.'some random string') and what you then save in the 
database is (a) the resulting md5 and (b) the random string you used as 
the salt (in an additional feeld called "password_salt" for example).

The idea is to make it harder to recover the original password from the MD5.

I think it's important that this is in the md5 feuser password 
protection from the start on, because adding it later on just makes 
things incompatible.

cheers
Ingmar

Steffen Kamper wrote:
> Type: Feature
> 
> Branches: Trunk only
> 
> BT reference: http://bugs.typo3.org/view.php?id=7139
> 
> Problem:
> fe_users password is only in plain mode
> 
> Solution:
>  using a simple flag
> $TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5';
> 
> authentification takes care and in case of md5 compares to md5-value.
> 
> In BE eval of fe_users field password looks to this flag too, so saving user 
> password in BE with flag set to md5 will save it to md5 value
> 
> Additional:
> The solution seems to be very easy. If any auth-service overrides it, new 
> service has to take care of. please check if there are side effects.
> 
> vg  Steffen 
> 
> 
> 


-- 
Ingmar Schlecht
TYPO3 Association Active Member