Migrate TYPO3 fe_users to Flow Application

Hey guys,

I should migrate a TYPO3 fe_users table to a new Flow Application. The Passwords in fe_users are salted like $1$IZjBnS43$lipRI3D6NSmptGFBYKO3T/

Is there a way to convert the salted passwords to cleartext to generate a .csv File for import in the Flow database.

Thank you for your answers.

If that was possible there wouldn’t be much use in hashing the password to begin with…

One option I could think of was to import the users without it and send them a link to reset their passwords.

1 Like

Applications like Shopware use a live migration for that. You store/import informations about the used hashing algorithm. Before the user login, you can live migrate the password to your new hashing algorithm.

For example: the hashing is done by a php class (perhaps called Encoder). You store information about the used encoder (string like “md5”, or “bcrypt”). If the old encoder is used you use the old encoder to verify the password and migrate the password using the new encoder.

I have the same requirement; migrating passwords from a TYPO3 installation to a Flow app. The frontend users have salted keywords. My (as of yet untested) plan would be as follows:

  • Have an own authenticationProvider Typo3FrontendUserProvider and save the current TYPO3 password in credentialssource
  • Save the encryption key of the TYPO3 installation as a setting
  • The Typo3FrontendUserProvider intercepts the password entered by the user. It uses the (rebuilt) mechanisms for salted passwords in TYPO3 to validate the password.
  • If validation is successful, the intercepted password is set as new password using Flow mechanisms and the provider is set to DefaultProvider.

Do you think that this could work out or do I miss a point?

Yes, this solution could be worked.

I have set new passwords and send an email to the frontend users to set new passwords.

Thanks Patric. @bwaidelich Do you agree that my plan could work?

Not sure if I got it right, but why not give it a try? :wink:

In general you should be able to create your custom AuthenticationProvider that can somehow authenticate the TYPO3 credentials (i.e. by talking to the TYPO3 instance or by importing the salted credentials & encryption key)

A custom encryption provider should do the trick IMHO.

Thanks @christianm for pointing me to the right direction. It turned out to be pretty easy. I created a Gist for those having the same requirement:

For those importing users from TYPO3, e.g. in a CommandController, you can use the following method:

 * Creates a new account and sets the given password and roles
 * This doesn't encrypt the password but inserts the passwords without transformation, but with the "typo3md5salted=>" prefix.
 * @param string $identifier Identifier of the account, must be unique
 * @param string $password The clear text password
 * @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account
 * @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with
 * @param string $passwordHashingStrategy Optional password hashing strategy to use for the password
 * @return \TYPO3\Flow\Security\Account A new account, not yet added to the account repository
protected function createAccountWithPassword($identifier, $password, $roleIdentifiers = array(), $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default')
    $account = new \TYPO3\Flow\Security\Account();
    $account->setCredentialsSource('typo3md5salted=>' . $password);

    $roles = array();
    foreach ($roleIdentifiers as $roleIdentifier) {
        $roles[] = $this->policyService->getRole($roleIdentifier);

    return $account;