[TYPO3-core] RFC #13754: Secure Install Tool Login
Bernhard Kraft
kraftb at think-open.at
Thu Mar 11 14:13:21 CET 2010
Sigfried Arnold wrote:
> And the pseudo password of couse should be some irrational sequence you
> can't remember. If you really want to log in, you can look it up
> quickly. Then, it does not matter, if the install tool password is a
> weak password like 'g61xa781' or a strong, like
> 'N MzRS5{NRJ/!s-^wlaT&)N}Be1;+R(ZT|Ei*,+ggVo6]}LV}R:i*%iopHNjIL&2'
I do not see why "g61xa781" should be a weak password? You won't find it
in any dictionary.
> If everybody uses the install tool properly, ther is no need for salting
> the password.
You always talk about "one" password.
What if a hacker collects a large number of Install-Tool Password hashes
(by whatever means), and then runs an rainbow table attack against them.
This would give him strings which allow him to log in into all those
Install Tools, and additionally try it on every other TYPO3 Instance
google reveals to him - probably made by the same agency and using the
same password.
So salting the Install Tool Password is not a mistake in any case.
Could you explain me why you are against security improvements? For me
it looks like we could simply transmit everything plaintext and store a
plaintext password, as you do not seem to care about any "unthinkable" ways.
Using a md5 hash will yield the same hash value for the same input on
each an every installation of TYPO3. I already suggested to include some
Server variables, etc. into the hash - the suggestion got simply ignored
or nitpicked into silence.
> But the past showed, eben Wolfang Schäubles install tool password was a
> simple string "gewinner" wich everybody could quickly look up in a
> rainbow table.
I do not knwo who Wolfgang Schäubles is as I am not into German politics.
greets,
Bernhard
More information about the TYPO3-team-core
mailing list