6

I'm trying to create a custom registration component for TYPO3 on an external website where TYPO3 is not installed (i just use its database). Problem is i have no experience using TYPO3. I was wondering if anyone knew how to create the correct password encryption for TYPO3? The passwords looks like this :

$P$CeO/XYcbzRH9nLpCwKdp1HhsJGwJum0

I am looking for a php code to create that same encryption and check the password. I have the encrytion key from the install tools which (i believe) is used for the salting.

Or is there a possibility to save passwords as MD5 only? Not the best option but i could be the only one left.

I have found this url: http://srv123.typo3.org/TYPO3/Extensions/saltedpasswords/4.6/#compatibility-of-other-extensions-with-salted-user-password-hashes

But i have no clue how to implement that in my own script.

biesior
  • 55,576
  • 10
  • 125
  • 182
Switching Brains
  • 290
  • 4
  • 15
  • 1
    DO NOT ENCRYPT PASSWORDS! Leaks everywhere these days because developers think they need to decrypt passwords... Also do not use MD5(), it is hacked already. Also have a look at this question http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – Ron van der Heijden Jul 25 '12 at 09:20

3 Answers3

15

Works on typo3 6.X:

    $password = 'XXX'; // plain-text password
    $saltedPassword = '';

    if (\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('saltedpasswords')) {
        if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('FE')) {
            $objSalt = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL);
            if (is_object($objSalt)) {
                $saltedPassword = $objSalt->getHashedPassword($password);
            }
        }
    }
Nicolas F.
  • 186
  • 1
  • 3
8

Have a look at the developer guide:

1.5.1 Creating a new salted user password hash from a given plain-text password

You have to use it in the typo3-Frontend:

$password = 'XXX'; // plain-text password
$saltedPassword = '';

if (t3lib_extMgm::isLoaded('saltedpasswords')) {
  if (tx_saltedpasswords_div::isUsageEnabled('FE')) {
    $objSalt = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL);
    if (is_object($objSalt)) {
      $saltedPassword = $objSalt->getHashedPassword($password);
    }
  }
}

But, you should never try to generate salted password outside of typo3 because the encryption depends on your typo3 settings.

insertusernamehere
  • 23,204
  • 9
  • 87
  • 126
Besnik
  • 6,469
  • 1
  • 31
  • 33
2

By looking at the hash provided I suppose the saltedpasswords extension (responsible for storing salted hashes in the database) in TYPO3 is set to use phpass. You should therefore be able to take this class and use it in your script to create/check passwords the same way as TYPO3 does.

Or is there a possibility to save passwords as MD5 only?

Yes, using salted passwords in TYPO3 is optional and not mandatory. However, if any TYPO3 installation in future would be supposed to use that database, I'm not sure how TYPO3 would handle the mixture of records when some of them would have passwords stored as unsalted hashes and some as salted. My guess is, that it would handle it gracefully, recognising which check to use for each hash.

tmt
  • 7,611
  • 4
  • 32
  • 46
  • You didn't explain in your question why TYPO3 database is being used, whether it already contains some records and whether in future it will be used by some TYPO3 installation so my answer might not be fully accurate. – tmt Jul 25 '12 at 11:34
  • The db is being used only for the front end users to login on the other website to view some pages. Registration and such is all handled on the Typo3 website. That's why i only need the salted password. As far as MD5 only, i can put MD5 passes in the db directly. After logging in the MD5 is automatically converted by Typo3 to a salted password. – Switching Brains Jul 25 '12 at 11:49
  • Thanks cascaval, just the answer i needed to direct me in the right way. The salted passwords is indeed set to use phpass. I downloaded the framework at: http://www.openwall.com/phpass and managed to create hashes that i can compare with the hashes in the db. I needed to set `$hash_portable = TRUE;` and that was it. Thanks a lot for your help. – Switching Brains Jul 25 '12 at 12:50