[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

[Steffen Kamper]

"Ingmar Schlecht" <ingmar at typo3.org> schrieb im Newsbeitrag 
news:mailman.1.1200340900.17568.typo3-team-core at lists.netfielders.de...
> Hi Steffen,
>
> great you're having a solution to this one as well!
>
> There's just one point I'd like to add: The security team is currently 
> planning to use a "salt" string for the MD5 generation for Backend 
> passwords and this is definitely something that should be used here as 
> well. See http://en.wikipedia.org/wiki/Salt_%28cryptography%29
>
> The point is basically that you don't just do md5($password) but instead 
> md5($password.'some random string') and what you then save in the database 
> is (a) the resulting md5 and (b) the random string you used as the salt 
> (in an additional feeld called "password_salt" for example).
>
> The idea is to make it harder to recover the original password from the 
> MD5.
>
> I think it's important that this is in the md5 feuser password protection 
> from the start on, because adding it later on just makes things 
> incompatible.
>
> cheers
> Ingmar
>

Hi Ingmar,

good to know, 2 additional questions:

1) is the salt string always the same and is saved in configuration (like 
the encryption key that is already present) ? Or should it be a random 
generated, saved in each record? (
2) for doing that the eval-js has to be changed, otherwise it's impossible 
to save passwords in BE. I don't know the security issue of that, but it 
could be dangerous, because the salt has to be present in the JS and this is 
written to disk as cached file

vg  Steffen