Bug #32991
Wrong default password hashing strategy
Status: | Resolved | Start date: | 2012-01-05 | |
---|---|---|---|---|
Priority: | Should have | Due date: | ||
Assigned To: | Karsten Dambekalns | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.1 | |||
PHP Version: | Complexity: | |||
Has patch: | No | Affected Flow version: | Git master |
Description
In https://review.typo3.org/5756 the default hashing strategy was changed to BCrypt.
Later, in https://review.typo3.org/6598, support for multiple strategies was added. But that change make PBKDF2 the default again.
Related issues
Associated revisions
[BUGFIX] Make BCrypt the default hashing strategy (again)
In https://review.typo3.org/5756 the default hashing strategy was
changed to BCrypt. Later, in https://review.typo3.org/6598, support for
multiple strategies was added. But that change make PBKDF2 the default
again.
This change fixes that and makes the SaltedMd5 strategy available in
the YAML file as well (for completeness).
Change-Id: Icb1886a63031ae8393c391a99f7616cfb0a35b96
Fixes: #32991
Releases: 1.1
[BUGFIX] Implement fallback for password hash migration
The new BCrypt default hashing strategy causes problems if a FLOW3
application is migrated from version 1.0 which didn't use strategy
identifiers inside credentials. A new "fallback" configuration
option allows to specify the strategy that was used to generate
these legacy credentials. It defaults to "pbkdf2" and allows for a
seamless migration from 1.0 to 1.1. New passwords will be hashed with
the default strategy ("bcrypt" by default) and get the strategy
identifier prepended.
Change-Id: Ib817adb43552abfcce587bbbe5e1f55fd860a39c
Fixes: #32991
Releases: 1.1
History
#1 Updated by Gerrit Code Review over 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7681
#2 Updated by Karsten Dambekalns over 3 years ago
- Assigned To set to Karsten Dambekalns
#3 Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7681
#4 Updated by Karsten Dambekalns over 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 28a049fc0d5ca17e5ee1ec8c92c020aa9a32864c.
#5 Updated by Gerrit Code Review over 3 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10832
#6 Updated by Christopher Hlubek over 3 years ago
- Status changed from Under Review to Resolved
Applied in changeset 78279ca9a0c1b6808db415b678722791c66f4d0f.