[TYPO3-core] FYI: Added feature #12076: Integration of saltedpasswords as system extension

[Oliver Hader]

Salted passwords was just integrated into SVN Trunk (rev. 6067) as sytem
extension using svn:externals. Until TYPO3 4.3 RC, it shall be merged to
SVN Trunk.

Type: Feature

Branch: Trunk

SVN URI used for svn:externals:
https://svn.typo3.org/TYPO3v4/Extensions/t3sec_saltedpw/tags/43beta1/

Bugtracker reference:
http://bugs.typo3.org/view.php?id=12076

Problem:
Passwords of backend users are stored as MD5 and weak passwords like
"secret" can be recalculated using rainbow tables from that hash.
Passwords of frontend users are not hashed at all.

Solution:
The possibility of rainbow attacks is reduced by adding a random salt to
the stored hash. The saltedpasswords extension can create hashes using
the PHP crypt method or the phpass hasing framework. Thus the following
hash variants can be used:
* MD5, hash statring with $1$
* Blowfish, hash starting with $2$ or $2a$
* phpass, hash starting with $P$

Since passwords are transfered now plain to the server, it's highly
recommended and required to transfer that information via a secure
channel like SSL/HTTPS or the rsaauth system extension.

Installing saltedpasswords using the extension manager, will give you
some remarks and suggestions concerning your system scenario and which
settings have to be adjusted.

The saltedpasswords extension can be activated and configurated for
frontend and backend independently.

Notes:
The saltedpasswords extension will modify the (hashed) passwords in the
be_users and fe_users table. So, please test the behaviour first on a
development environment - especially if you have custom extensions
installed that perform direct queries to the mentioned tables and rely
on that information.

Thanks to Marcus Krause, Steffen Ritter and Michael Stucki for working
on this feature!

olly
-- 
Oliver Hader
TYPO3 Release Manager 4.3