[TYPO3-core] RFC #13754: Secure Install Tool Login
Marcus Krause
marcus#exp2010 at t3sec.info
Thu Mar 11 08:54:44 CET 2010
Hi!
Sigfried Arnold schrieb am 03/11/2010 12:38 AM Uhr:
> To sum up my suggestion:
>
> - Switch to SHA-256 (unsalted) as soon as the support for 4.1 runs out
> and PHP 5.1.x is a requirement (but keep in mind that this won't improve
> the security currently but might be safer for the future, since there is
> no known collision for SHA-256)
>
> - Don't salt the password, since it won't significantly improve the
> security of a single password.
>
> - Add a random install tool password generator wich generates very
> cryptic, long and strong passwords.
>
> - Print a warning, if the entered password (at login or at creation?) is
> very short or does not use any character besides A-Za-z0-9.
>
> Well, maybe i really should think of a patch if i got time ;)
Some time ago, I was working on an entropy service; a service that
mathematically returns the entropy of a given string.
We could put that into a t3lib class and use that whenever an user
decides to create/use a password (FE/BE/Install tool)
resources:
http://www.redkestrel.co.uk/Articles/RandomPasswordStrength.html
http://typo3.org/extensions/repository/view/t3sec_crack/current/
--
Member TYPO3 Security Team
Blog on TYPO3 Security: http://secure.t3sec.info/blog/
More information about the TYPO3-team-core
mailing list