TYPO3 4.3 system extension saltedpasswords - manual available

Posted in TYPO3/ on February 05, 2010 by Marcus.

TYPO3 version 4.3 has brought a lot of new features. It's out since December 2009 and you've probably tried it or you're already familiar with all the new gimmicks.

I'm glad that the new system extension saltedpasswords has made it into the core. It allows to store passwords of TYPO3 user accounts as salted hash. With all these web sites that allow to "retrieve" the origin of a md5 hash, it's important that TYPO3 keeps up with the progress in security industry. With salted passwords we catch up with other content management systems like Drupal or Wordpress.

The main advantage of salted hashes is the fact that it makes pre-computed rainbow tables useless. Someone who's interested in retrieving the original password for a salted hash is basically cursed to run a brute-force attack. This is much more expensive in terms of time and computing power than looking up a hash in a pre-computed table.

What makes salted hashes so special? Every to be hashed plain-text password will concatenated with a random string (the salt). This salt is different of each user password stored in the CMS's database. Then, the hashing and concatenation will be done multiple times. By default, TYPO3 does that exactely 16384 times for each password. You now understand that dealing with salted passwords is a lot more secure than a typical md5 hash. Still, you're advised to wisely choose your password. Don't use a dictionary word; in best case it's a passphrase consisting of upper- and lowercase letters, numbers and special characters.

RSA Authentication for TYPO3 4.3

Posted in TYPO3/ on April 30, 2009 by Marcus.

Asymmetric Encryption for authentication - a major security improvement

Today, TYPO3 made a huge step forward in regards to security. Dmitry Dulepov has sent a patch (#11016) to the TYPO3 Core mailinglist that implements RSA authentication for TYPO3 Backend and Frontend.

RSA is a method of asymmetric encryption - something you might already know if you are using GnuPG or PGP. A key pair (public and private key) is created and then, a message can be encrypted using the public key. Only the owner of the private key is later able to decrypt  the message.

In case of TYPO3, TYPO3 itself will create a key pair for each login attempt. The public key is given to the client (your browser) which will use it to encrypt you password. So sniffing your traffic will not reveal the password and you are able to login to your TYPO3 installation in an unencrypted wireless LAN without having second thoughts on a possible compromise later.

TYPO3 will then decrypt the message with the private key so that the plain-text password is again available on TYPO3 side.

Having plain-text passwords available on TYPO3 side (not only hashed ones like currently) will enable the possibility to apply arbitrary complex transformations on (original) plain-text passwords before being stored into the database. You might even consider to encrypt your passwords in the database.

The next step and also planned to be shipped with TYPO3 4.3 are salted hashed passwords for FE and BE user accounts. An already existing extension (t3sec_saltedpw) will therefore be integrated in TYPO3 Core.

RSA authentication will replace the currently used superchallenge authentication method. However, if you are already using SSL to secure authentications for FE or BE ("normal login method"), there's no need to use RSA. 

Give TYPO3 4.3 a try; test and review the upcoming alpha3 release! You won't regret it.

Thanks to Dmitry for his efforts. "Inspiring people to share" at its best!