[TYPO3-core] RFC #13754: Secure Install Tool Login

Marcus Krause marcus#exp2010 at t3sec.info
Wed Mar 10 18:51:03 CET 2010


Hi!

Sigfried Arnold schrieb am 03/10/2010 11:17 AM Uhr:
> Am 06.03.2010 21:53, schrieb Marcus Krause:
>> We might consider storing the install tool password as sha1 hash in
>> localconf. But that's all I would do in regards to security improvements.
> 
> I agree to switch to a stronger hash algorithm, but lets switch to
> SHA-256 then. SHA-1 familiy already considered as broken (but in a term,
> that won't apply to password security).

Then, keeping that in mind, could you please outline why to use SHA-256
instead of SHA-1. SHA-1 method in PHP is available with 4.3.0+. SHA-256
requires ext/hash (enabled by default with 5.1.2+)


> But for the Protocol: this won't provide any extra security - even if
> you use a SHA-512 hash. Neither MD5 nor SHA-1 has any practical useable
> security issue for a preimage attack (getting any possible plaintext for
> a given hash).

So stay with MD5?


> [...] but all that extra time is worth nothing if the
> attacker simply uses a pre rendered rainbow table [...]

That qualifies for using a salted password. (useless pre-rendered
rainbow table).


[...] or attacks via dictionary.

You probably won't run dictionary attacks when having the hash; at
least, dictionary attacks should not considered for this RFC.
Dictionary attacks could be run any time. But the RFC wants to increase
security by using salted passwords, something that increases security if
you're afraid the attacker might get access to the password.


After all, I'm unsure what you're suggesting with your mail!

Cheers,
Marcus.



PS:

> Just make sure (or suggest), people use longer install tool passwords -
> for example: print out a warning if the entered password is <= 16
> characters.

Patches certainly welcome! ;-)


-- 
Member TYPO3 Security Team
Blog on TYPO3 Security: http://secure.t3sec.info/blog/


More information about the TYPO3-team-core mailing list