[TYPO3-core] RFC #13754: Secure Install Tool Login
Oliver Hader
oliver at typo3.org
Sat Mar 6 16:29:12 CET 2010
Hi Bernhard,
Am 06.03.10 11:57, schrieb Bernhard Kraft:
> Problem:
> As we have an rsaauth library now and a service for salted passwords it
> would make sense to:
>
> 1. store the install tool password as salted password instead of md5
> this makes it harder for people having read access to localconf.php to
> use md5 digest for password cracking
>
> 2. use RSA for login and password changes so the password or it's md5
> sum never gets transmitted directly over the line
>
> 3. Add a way to set a new install password without transmitting its md5
> value in any direction over the line (so not even display the md5 sum to
> the admin user going to set the install tool password)
Without looking to the patch, transfering a password and storing a
password are different things. I think it's not good to store the
install tool password salted. So, let's remove storing data from this
issue and discuss it separately.
Using RSA to transfer password data sounds fine to me as long as there
is a possibility to disable that e.g. with a link "Do you have problems
with login, use this link instead"...
olly
--
Oliver Hader
TYPO3 v4 Core Team Leader
More information about the TYPO3-team-core
mailing list