[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption
Ernesto Baschny [cron IT]
ernst at cron-it.de
Tue Jan 15 19:47:07 CET 2008
Ingmar Schlecht wrote: on 15.01.2008 19:11:
> Ernesto Baschny [cron IT] wrote:
>>> You can also store the password in the same field you store the MD5
>>> in (the "password" field of the fe_users table), maybe separated by
>>> an "@".
>>>
>>> Example:
>>> a2md56fhf7zfmd5rhzfdmd5du4 at some_random_salt_string_for_this_password
>>
>> Reusing the same salt for all passwords on one site (even if it is the
>> "encryption key") is probably the same security as not using any salt
>> at all. It needs to be "random" for every passwort, because only then
>> you have the security that the same password won't "ever" have the
>> same hash.
>
> That's wrong; having a salt at all is much more important then having a
> unique one for each of the passwords, as it gets much harder to find the
> clear text password corresponding to an MD5() when you've added a long
> string like the encryption key to it. E.g. using any of the publicly
> available MD5 lookup databases gets impossible then.
So I don't see what is wrong in what I have said. Having a random salt
enhances security without much cost. Stealing the whole database
including the encryptionKey will render the work of cracking every
password much more difficult.
Another side effect is that if user A has the same password as user B,
both will still have no way of knowing that, because their hashes are
different.
>> $1$6ki0A8QD$BNqCdjMqQF8xeryq9odmb0
>>
>> $1 = md5 with 8 character salt
>> The encrypted password can be obtained with the php "crypt()" method:
>>
>> http://www.php.net/crypt
>
> Good idea, but is crypt available on all plattforms?
On any glibc-based system it should be available.
The fact is that crypt() doesn't do a "dumb" md5(passwort+salt), but a
much more complicated task for avoiding brute force dictionary attacks.
So if we don't use the same algorithm but implement the simple
md5(passwort+salt) way, we might as well store it differently, as it
might confuse people.
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list