[TYPO3-core] RFC: #16360: Feature: [saltedpasswords] Provide a task for bulk update of passwords for use with saltedpasswords
Marcus Krause
marcus#exp2010 at t3sec.info
Fri Nov 12 13:19:50 CET 2010
Georg Ringer schrieb am 11/12/2010 07:10 AM Uhr:
> Hi,
>
> +1 on v2
Christian is right, you want to convert as much password records as
possible - not matter if deleted/disabled etc...
If an attacker gets hold of a cleartext password (not converted due to
deleted record), chances are high the user has used this password across
facebook, xing, google etc.. and attacker could try to authenticate
itself with the "stolen" credentials.
So I prefer to leave implementation as it is now in this patch.
Marcus.
More information about the TYPO3-team-core
mailing list