[TYPO3-core] RFC #14307: fe_user passwords are visible in the info popup window in the backend
Lars Houmark
lars at houmark.com
Wed May 5 13:17:51 CEST 2010
Xavier Perseguers wrote:
> How can a fixed-length string of 6 asterisks disclose any information
> about the real password? Don't understand why I'd trust you on this ;-)
Because if the password is actually 6 digits it is information and help.
By always showing random lengths it will tell the evil person, that it
cannot even use the length as a method of figuring out the password.
If you need to do a fixed length, then do it with 12 or more chars.
--
Lars Houmark
More information about the TYPO3-team-core
mailing list