[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption
Steffen Kamper
steffen at sk-typo3.de
Tue Jan 15 19:16:09 CET 2008
"Ernesto Baschny [cron IT]" <ernst at cron-it.de> schrieb im Newsbeitrag
news:mailman.1.1200419961.3485.typo3-team-core at lists.netfielders.de...
> Ingmar Schlecht wrote: on 14.01.2008 21:36:
>
>>> 1) is the salt string always the same and is saved in configuration
>>> (like the encryption key that is already present) ? Or should it be a
>>> random generated, saved in each record? (
> > (...)
>
>> It could be both, either something like the encryption key or something
>> that is generated for each password and just saved along with the
>> password in another DB table field.
>>
>> However, using the encryption key is not such a good idea, because just
>> imagine that you accidentally change it: Then all your FE user passwords
>> get invalid! Therefore it is better to save the salt along with the
>> passwords.
>>
>> You can also store the password in the same field you store the MD5 in
>> (the "password" field of the fe_users table), maybe separated by an "@".
>>
>> Example:
>> a2md56fhf7zfmd5rhzfdmd5du4 at some_random_salt_string_for_this_password
>
> Reusing the same salt for all passwords on one site (even if it is the
> "encryption key") is probably the same security as not using any salt at
> all. It needs to be "random" for every passwort, because only then you
> have the security that the same password won't "ever" have the same hash.
>
> Why not use a method for storing the salt + hash that is compatible with
> what we have in the Unix world (passwd) and which can be achieved by
> "pure" PHP methods:
>
> $1$6ki0A8QD$BNqCdjMqQF8xeryq9odmb0
>
> $1 = md5 with 8 character salt
>
> The encrypted password can be obtained with the php "crypt()" method:
>
> http://www.php.net/crypt
>
> Cheers,
> Ernesto
as BE works with JS methods in eval, the same algorythm has to be used in
JS. So i don't know how this can be done, or a salt has to be generated
dynamically in template.php in JS-section.
vg Steffen
More information about the TYPO3-team-core
mailing list