[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption
Ingmar Schlecht
ingmar at typo3.org
Mon Jan 14 21:36:21 CET 2008
Hi Steffen,
Steffen Kamper wrote:
> good to know, 2 additional questions:
>
> 1) is the salt string always the same and is saved in configuration (like
> the encryption key that is already present) ? Or should it be a random
> generated, saved in each record? (
> 2) for doing that the eval-js has to be changed, otherwise it's impossible
> to save passwords in BE. I don't know the security issue of that, but it
> could be dangerous, because the salt has to be present in the JS and this is
> written to disk as cached file
It could be both, either something like the encryption key or something
that is generated for each password and just saved along with the
password in another DB table field.
However, using the encryption key is not such a good idea, because just
imagine that you accidentally change it: Then all your FE user passwords
get invalid! Therefore it is better to save the salt along with the
passwords.
You can also store the password in the same field you store the MD5 in
(the "password" field of the fe_users table), maybe separated by an "@".
Example:
a2md56fhf7zfmd5rhzfdmd5du4 at some_random_salt_string_for_this_password
cheers
Ingmar
--
Ingmar Schlecht
TYPO3 Association Active Member
More information about the TYPO3-team-core
mailing list