[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

Dmitry Dulepov [typo3] dmitry at typo3.org
Mon Jan 14 21:50:40 CET 2008


Hi!

Ingmar Schlecht wrote:
> However, using the encryption key is not such a good idea, because just 
> imagine that you accidentally change it: Then all your FE user passwords 
> get invalid! Therefore it is better to save the salt along with the 
> passwords.

If security key is changed, lots of things stop working. I tried once (it was for 3.7.0 I think). So it quite safe to use: everything breaks if security key is changed.

> You can also store the password in the same field you store the MD5 in 
> (the "password" field of the fe_users table), maybe separated by an "@".
> 
> Example:
>  a2md56fhf7zfmd5rhzfdmd5du4 at some_random_salt_string_for_this_password

Hm, good idea! Random string can be obtained with "uniqid('', true)".

-- 
Dmitry Dulepov
TYPO3 core team
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"Nothing is impossible. There are only limits to our knowledge"


More information about the TYPO3-team-core mailing list