Hi Steffen!
Steffen Gebert schrieb am 02/20/2009 09:55 PM Uhr: > Hi list, > > I didn't read anything here about t3sec_saltedpw. > > I'm currently reflecting about using this EXT in my current project - better > start with salted passwords than let some thousands users have unsalted > ones.. > > As there are several core developers, I'm quite sure that this extension has > a long term support or (better) will be integrated into core - right? > > Are there plans for 4.3? Yes, have a look at http://forge.typo3.org/wiki/typo3v4-core/43_roadmap ! You will notice that "Salted MD5 passwords for frontend and backend" are planned. However, one important thing has to be done before: "RSA authentication library/service" Salted passwords extension depends on the fact that passwords sent are plain-text ones (no challenges etc.). If you have a SSL/TLS secured website, this is no problem. If you don't consider MITM-attacks as risk for your specific website project, you are free to use it. But mostly, websites aren't secured and MITM-attacks are considered to be a potential problem. That's why the transfer of credentials has to be fixed in a way that it is transparently secured (RSA). > As felogin and sr_feuserregister are supported, I think I will have no > problems with this extension - anybody already tried it? Do you have a typo3.org account? If so, you are already using this extension! This extension is used under the hood for typo3.org FE users. You might have noticed that a lot well-known TYPO3 guys made contributions to this extension. I therefore guess, the code is pretty stable. If you start to use t3sec_saltedpw now, and it later becomes part of the Core, the concept and implementation most probably will not change. You will continuously able to use salted passwords and no BE/FE user would notice any change then. If you are interested and able to contribute, there's a lot to be done. A first start would be the todo list in the manual. MD5 is pretty much hardcoded in the BE. Anyone could help; just drop me a note and we could discuss/coordinate the work that's waiting to get done. ;-) Marcus. _______________________________________________ TYPO3-english mailing list [email protected] http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
