[TYPO3-core] RFC #14307: fe_user passwords are visible in the info popup window in the backend
Lars Houmark
lars at houmark.com
Thu May 6 01:01:42 CEST 2010
Hi Bernd,
bernd wilke wrote:
> it is nice that passwords are not displayed by default for everyone in BE.
> But any admin(!) has several posssibilities to see the passwords anyway
> in less than 5 minutes.
Let's define admin. Let's change it to an editor with access to listing
and viewing FE users, but not edit them - or even edit them, it does not
really change the situation.
This "admin" will be able to view passwords saved in clear text.
This does NOT mean he will have direct access to the database does it?
Or other means for finding the password.
> If anyone cares about the clear passwords he would install encrypted
> passwords, which means nobody can see the passwords anyway.
I cannot disagree with you on that, but nonetheless TYPO3 should not be
the one lowering security because passwords were saved in clear text.
After all TYPO3 was "the one" deciding to only provide clear text saving
of fe_user passwords for many years :)
> let's do a flamewar about using serif or sanserif fonts for the password-
> stars!
Let's not! Let's move on. Plenty of other bugs to squash.
--
Lars Houmark
More information about the TYPO3-team-core
mailing list