This document discusses securely storing passwords in TYPO3 using the saltedpasswords extension. It begins by explaining the risks of storing passwords in cleartext and introduces hashing and salting as more secure alternatives. The saltedpasswords extension implements salted hashing methods like MD5 and Blowfish. The document covers installing and configuring the extension, ensuring compatibility with existing passwords, and provides background on password hashing formats.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Secure password storing with saltedpasswords in TYPO3
1. Image: Carlos Porto / FreeDigitalPhotos.net
TYPO3camp Munich - 11./12. September 2010 Inspiring people to
Secure password storing with saltedpasswords share
2. Secure password storing with TYPO3’s
system extension “saltedpasswords”
Steffen Gebert <steffen@steffen-gebert.de>
Translated slides, original title:
“TYPO3-Passwörter sicher speichern mit saltedpasswords”
http://www.slideshare.net/StephenKing/passwrter-in-typo3-sicher-speichern-mit
TYPO3camp Munich- 11./12. September 2010
Inspiring people to
Secure password storing with saltedpasswords share
3. Introduction
Your Speaker
Steffen Gebert
Student, Freelancer
TYPO3 Core Team Member
Inspiring people to
Secure password storing with saltedpasswords share
4. Introduction
Ouch!
TYPO3 Assicciation, 3rd Quarterly Report 2008
“What happened? An unauthorized person gained
administrative access to the typo3.org website. As
far as we can tell, an admin password was stolen
and used to find out more passwords on typo3.org.”
Inspiring people to
Secure password storing with saltedpasswords share
5. Introduction
Saving passwords
Definite no-go: Storing cleartext password
Instead
Saving of a hash (“check sum”)
Comparing with hash during login
Inspiring people to
Secure password storing with saltedpasswords share
6. Introduction
Fundamental knowledge: Hashing
One-way function
identical input => identical output
md5(‘joh316’) = ‘bacb98acf97e0b6112b1d1b650b84971’
opposite direction not argorithmically computable
Most frequently used algorithm: MD5
not considered secure since ages (clashes easy to compute,
huge rainbow tables available)
Alternatives (SHA) only provide bigger result set
=> just new rainbow tables needed
Inspiring people to
Secure password storing with saltedpasswords share
7. Introduction
Saving a salted password
User input: ‘joh316’
Generate salt, e.g. ‘7deb882cf’
Compute Hash
md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’
Save salt and hash
Inspiring people to
Secure password storing with saltedpasswords share
8. Introduction
Validating a salted password
User intut: ‘joh316’
Read used salt from database: ‘7deb882cf’
Compute hash
md5(‘7deb882cf’ . ‘joh316’) = ‘bacedc598493cb316044207d95f7ad54’
Compare with saved hash
Inspiring people to
Secure password storing with saltedpasswords share
9. The Extension
System extension saltedpasswords
Formerly t3sec_saltedpasswords by Marcus Krause,
Member of the TYPO3 security team
Integration into TYPO3 Core version 4.3 after rework by
Steffen Ritter
Inspiring people to
Secure password storing with saltedpasswords share
10. The Extension
Implemented salting methods
Salted MD5
Portable PHP password hashing framework
Available for various PHP applications (Drupal etc.)
Repetetive exectution of MD5 (slow)
Blowfish
Availability dependent of environment
Starting with PHP 5.3 implementation shipped with PHP
Inspiring people to
Secure password storing with saltedpasswords share
11. The Extension
Crux of the matter...
Password must be available in plaintext
TYPO3 by default transfers MD5 hash
Plaintext transfer unsecure
Prerequisite (at least one)
SSL secured connection
System extension rsaauth
Encrypts passwords prior transfer using
RSA algorithm
Inspiring people to
Secure password storing with saltedpasswords share
12. Installation & Configuration
rsaauth
Prerequisite
OpenSSL: PHP extension recommended, binary as fallback
JavaScript
Activation
Frontend
$TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘rsa’
Backend
$TYPO3_CONF_VARS[BE][loginSecurityLevel] = ‘rsa’;
Inspiring people to
Secure password storing with saltedpasswords share
13. Installation & Configuration
saltedpasswords with SSL encryption
Frontend
$TYPO3_CONF_VARS[FE][loginSecurityLevel] = ‘normal’
Backend
$TYPO3_CONF_VARS[BE][lockSSL] > 0
Inspiring people to
Secure password storing with saltedpasswords share
14. Installation & Configuration
Installation of saltedpasswords
Checks availability of rsaauth or lockSSL
Separate activation for Frontend and Backend
Choice of hashing method
Inspiring people to
Secure password storing with saltedpasswords share
15. Compatibility
Backwards compatibility
Existing passwords? (unsalted MD5)
immediate conversion not possible, as cleartext not
available
only possible moment: during Login
Inspiring people to
Secure password storing with saltedpasswords share
16. Compatibility
Extensions
Frontend
felogin compatibel
srfeuserregister_t3secsaltedpw
Alternative FE-User registrations?
Adjustions for own extensions might be needed
Inspiring people to
Secure password storing with saltedpasswords share
17. Background knowledge
Password formats
MD5 without salt
bacb98acf97e0b6112b1d1b650b84971
MD5 with Salt
starts with $1$, 12 characters of salt
$1$13NETowd$WFpl6npZF71YKkCCzGds2.
Blowfish
starts with $2a$, 22 characters of salt
$2a$07$DZpLLz7wtIfhSSMwyEXjA.Nbh6rpDlqbgwVKa.IoDLyuLe5C7Jp8W
PHPASS
starts with $P$
$P$Ccw7UIZ..SkvKBXDWnZlZ.qHcbktrB.
Inspiring people to
Secure password storing with saltedpasswords share
18. Background knowledge
Password formats: Pro & Contra
PHPASS
Low system requirements (compatible with every PHP version)
Requires PHPASS implementation in application
MD5 / Blowfish
Format of Unix’ crypt(), compatible with system services (/etc/passwd)
The better choice (?)
Availability of algorithms system dependent
with PHP 5.3.2 also SHA-256/512 possible
Inspiring people to
Secure password storing with saltedpasswords share
19. Background knowledge
Usage of crypt()
Password validation:
crypt($user_input, $encrypted_password) == $encrypted_password
Saved hash (including salt):
$1$13NETowd$WFpl6npZF71YKkCCzGds2.
Checking against saved password ‘joh316’
crypt(joh316, $1$13NETowd$WFpl6npZF71YKkCCzGds2.)
= $1$13NETowd$WFpl6npZF71YKkCCzGds2.
crypt(password, $1$13NETowd$WFpl6npZF71YKkCCzGds2.)
= $1$13NETowd$SeAArtswHd8jzc9SQvH691
Inspiring people to
Secure password storing with saltedpasswords share
20. Web links
Free Rainbow Tables
http://www.freerainbowtables.com
PHPASS
http://www.openwall.com/phpass/
PHP Manual: crypt()
http://de2.php.net/manual/en/function.crypt.php
Wikipedia: crypt (Unix)
http://en.wikipedia.org/wiki/Crypt_(Unix)#Library_Function
Inspiring people to
Secure password storing with saltedpasswords share
21. ?????
??
?
??
??
?
Inspiring people to
Secure password storing with saltedpasswords share