[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

Ingmar Schlecht ingmar at typo3.org
Tue Jan 15 01:24:19 CET 2008 

Hi Steffen,

Steffen Kamper wrote:
> Ok. I had a first look to that. There are some issues have to be respected.
> 
> - method for salted password compare should be general in 
> t3lib_userauth::compareUident to have no doublecoding for the same method 
> (BE & FE)
> - method for generate salt should be a static method, maybe t3lib_div, as 
> it's needed in tceforms and other places. I like Ingmars+Dmitry's proposal 
> to generate it the way
> $saltKey = uniqid('',true);
> $password = (string)md5($password . $saltKey) . '@' . $saltKey;

This is exactly what I was thinking of. (You won't need the (string), as 
md5() returns a string anyway.)


> - to seperate methods for BE & FE 2 new config vars should be created, eg
> $TYPO3_CONV_VARS['BE']['useSaltKey'] = true;
> $TYPO3_CONV_VARS['FE']['useSaltKey'] = true;
> 
> or should it be like the configvar i introduced in this patch to have three 
> states
> $TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5|salt';
> Then it would make sense to use the same for BE (without plain)
> $TYPO3_CONF_VARS['BE']['passwordType'] = 'md5|salt';

I'd use "salted_md5" as "passwordType", so it'd be like:

$TYPO3_CONF_VARS['FE']['passwordType'] = 'plain|md5|salted_md5';

> - i'm not sure what happens with challenged/superchallanged, as they should 
> also use saltKey if set.

The security team currently thinks about other ways for BE login then 
the traditional challenged/superchallenged.

The idea is to store a salted MD5 of the password in the database and 
let the client send the clear text password to the server during log-in, 
but secured with JavaScript based public key encryption (which exists!). 
That way it would be no longer possible to log in with the MD5 string 
found in the database.

> I think it would be the best to make it for both BE/FE in one task as 
> methods overlap.

The tasks definitely overlap and it is definitely the right thing to 
write the new methods in a way that both BE and FE can use them, but 
maybe it's better to do the FE as a first step and add the BE login 
later on.

cheers
Ingmar

-- 
Ingmar Schlecht
TYPO3 Association Active Member

More information about the TYPO3-team-core mailing list