[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption
Ingmar Schlecht
ingmar at typo3.org
Tue Jan 15 19:11:06 CET 2008
Ernesto Baschny [cron IT] wrote:
>> You can also store the password in the same field you store the MD5 in
>> (the "password" field of the fe_users table), maybe separated by an "@".
>>
>> Example:
>> a2md56fhf7zfmd5rhzfdmd5du4 at some_random_salt_string_for_this_password
>
> Reusing the same salt for all passwords on one site (even if it is the
> "encryption key") is probably the same security as not using any salt at
> all. It needs to be "random" for every passwort, because only then you
> have the security that the same password won't "ever" have the same hash.
That's wrong; having a salt at all is much more important then having a
unique one for each of the passwords, as it gets much harder to find the
clear text password corresponding to an MD5() when you've added a long
string like the encryption key to it. E.g. using any of the publicly
available MD5 lookup databases gets impossible then.
> Why not use a method for storing the salt + hash that is compatible with
> what we have in the Unix world (passwd) and which can be achieved by
> "pure" PHP methods:
>
> $1$6ki0A8QD$BNqCdjMqQF8xeryq9odmb0
>
> $1 = md5 with 8 character salt
> The encrypted password can be obtained with the php "crypt()" method:
>
> http://www.php.net/crypt
Good idea, but is crypt available on all plattforms?
cheers
Ingmar
--
Ingmar Schlecht
TYPO3 Association Active Member
More information about the TYPO3-team-core
mailing list