TYPO3 4.3 system extension saltedpasswords - manual available

Posted in TYPO3/ on February 05, 2010 by Marcus.

TYPO3 version 4.3 has brought a lot of new features. It's out since December 2009 and you've probably tried it or you're already familiar with all the new gimmicks.

I'm glad that the new system extension saltedpasswords has made it into the core. It allows to store passwords of TYPO3 user accounts as salted hash. With all these web sites that allow to "retrieve" the origin of a md5 hash, it's important that TYPO3 keeps up with the progress in security industry. With salted passwords we catch up with other content management systems like Drupal or Wordpress.

The main advantage of salted hashes is the fact that it makes pre-computed rainbow tables useless. Someone who's interested in retrieving the original password for a salted hash is basically cursed to run a brute-force attack. This is much more expensive in terms of time and computing power than looking up a hash in a pre-computed table.

What makes salted hashes so special? Every to be hashed plain-text password will concatenated with a random string (the salt). This salt is different of each user password stored in the CMS's database. Then, the hashing and concatenation will be done multiple times. By default, TYPO3 does that exactely 16384 times for each password. You now understand that dealing with salted passwords is a lot more secure than a typical md5 hash. Still, you're advised to wisely choose your password. Don't use a dictionary word; in best case it's a passphrase consisting of upper- and lowercase letters, numbers and special characters.