TYPO3 backend user without password - typo3

Is it save to create backend user with an empty password?
For example the _cli_lowlevel backend user or a backend user editor-test, which I only use for testing purposes via the "Switch to user" feature.

usually a cli_* user should have no rights to access anything in the BE (non admin user, with no mount-points). it is used to execute TYPO3 by command line. if anyone can get access to a shell he can execute commands more dangerous than a simple BE-access. e.g. he can open access to the install-tool and create an admin-user. or use mysql-cli to set passwords to any given user.
normally you can not create BE-users without password as the form for BE-users requires a not empty password field. as you probably use salted and hashed passwords even a simple password can not be decrypted (so a brute force attack may find the password quickly). so the best way would be a long random password which you might forget the next moment.

Related

Decrypt wildfly management user password

I have a wildfly 21 installation with a management user (added using the add-user.sh). I forgot the password and I was wondering if it's possible to decrypt the value stored in the application-users.properties instead of generating a new one.
The password is only stored as a hash, so you will not be able to decrypt it.
And trying to break it might not be worth the effort.
I would just use the add-user.sh script and add a new user with the same name again.
It will then ask you if you want to overwrite/update the user and you are able to supply a new password.

Storing passwords on server

I want to do the following
User signs up to IOS app and provides username and password
Make a server call and store password in server database
When user logs in in the future, retrieve that password and check against the password that the user entered.
How can I do this in the most secure way possible? I was thinking of encrypting the password when storing in the db. When the user logsin, use the same encryption algorithm and compare against the db encrypted password.
NEVER ever store user credentials in encrypted (reversible) form. Currently best known way for checking user credentials is slow salted hash
for what and why please read https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
However, don’t try to invent your own algorithm for repeated hashing.
Choose one of these three well-known ones: PBKDF2, bcrypt or scrypt.
As already commented you may outsource the user authentication to some reliable service (google, fb, aws cognito, ibm appid,...)
Have you tried looking into databases? I know that Firebase has an authentication component of their database for ios development, and you might want to try to look into it or other databases. Check out firebase at: https://firebase.google.com/

How to make ATG dynamo admin server password not expire

I've seen various posts that help you reset the password when it expires (using various means ACC, DB update etc). But, is there a way you can make the admin password never expire? We have lot of automation built around this admin interface and it is turning out to be a hassle every time this password had to be changed. It would be nice if we can make the password never expire.
Set the enabled property on /atg/dynamo/security/passwordchecker/ExpiredPasswordAdminService/ to false.
Below is a sample ExpiredPasswordAdminService.properties file. You will need to create this in the appropriate configuration layer:
$class=atg.security.ExpiredPasswordAdminService
# Enable/Disable the password expiration service
enabled=false

Safe to store password on server

I am making some scripts for personal use. I need to store user and passwords for various stuff. Is it safe to store password text on webserver outside the webroot, eg
/var/www/includes/? Should it be encrypted as well? Or should I encrypt the password and store it in a database?
I'd suggest tu use the file .htpasswd to manage passwords:
http://www.htaccesstools.com/articles/htpasswd/
The file contains unencrypted usernames and hashed passwords.
It's one way to protect web ressources from unauthorized access.
The attached screenshot shows how the login will look like!

What is the best way to make login session with Perl's HTML::Mason?

I'm with some difficulties in make this.
I have a login HTML form, and I want to know if the user and password match with the information in my MySQL server.
What is the best way to do it?
Thank you very much
I know this question is a little old now but I thought I'd answer for posterity.
I think you have a few options.
One option is to not use HTML::Mason for the password validation at all. This is what we used to do. Since your HTML::Mason page is likely running inside a web server you can probably use it to do your username and password validation. For example if you're using Apache and mod_perl to serve your site, there are several modules for authentication, including one that can talk to MySQL and validate against a user table with username and password columns. Check the documentation for mod_authn_dbd for Apache 2.2. I recommend this approach.
Another way to do it is to use a framework like Catalyst. Catalyst already has the plugins for doing the kind of authentication you require and it will save you having to think about a most of the issues you'll need to code for yourself if you try and do it 100% in Mason. You can still use HTML::Mason for your page templates.
If you've got your heart set on using HTML::Mason to do the authentication then I would do it this way:
Place an autohandler in the folder you wish to protect -- note that all sub-folders will receive the same authentication protection
In an <%init> block in the autohandler, check for a valid session token in the cookie. If none exists, redirect ($m->redirect) to your login form. Otherwise, do nothing -- the autohandler will continue running and the page will be served.
In your login form handler, extract the username and password in an <%args> block. Using the username, retrieve the hashed password from the database. Extract the salt, prepend it to the plaintext password provided by the user and re-hash it. Then compare the hash strings. If they don't match, redirect back to the login page with an error. Otherwise pass through.
If parts of the above don't make sense look around on this site for "salting passwords" etc. As the original replier noted, it's bad karma to store plaintext passwords in the database. :-)
Create a Mason component that validates your username/password combination against MySQL with DBI and returns true or false if it is passed username and password in the %ARGS hash. Then load the component in the top of your login form, using the return value to determine whether to show the login form or redirect to your content.
Always store hashed values of passwords. When you have to validate the user credentials, hash the password input by the user and compare it against the hashed password value corresponding to the particular user.