Re: htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e)

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e)
Date: Sat, 15 Oct 2016 22:48:59 +0100	[thread overview]
Message-ID: <1476568139.9950.54.camel@ipfire.org> (raw)
In-Reply-To: <94772ee3-4db0-4752-80c2-7c0a80f7b25f@web.de>

[-- Attachment #1: Type: text/plain, Size: 1324 bytes --]

Hi,

On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote:
> Hello Michael,
> hello Development-List (in CC),
> 
> sorry for rehashing the issue: At 2016-10-06 I summarized
> my findings about htpasswd and its lack of bcrypt. Unfortunately,
> the bcrypt message digest algorithm is only available in
> the htpasswd version provided by the Apache Web Server (version
> 2.4.4 or later).
> 
> Since it uses SHA *without any salt*, it seems to be more
> secure in my point of view to use the MD5 method instead, where
> a salt is used.

I agree with this. Although not optimal, this is probably the option with better
security (assuming to BF against rainbow table).

I added some more details to the commit message:
  http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=96473f525dcec4115b9bab0b305ff5b92194b134

> Thereof I kindly ask you to revert the commit
> #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes
> were introduced. I know the developers are busy because of
> Core Update 106, and it can always happen that something slips
> through the fingers. :-)
> 
> Thanks and best regards,
> Timmothy Wilson

Thanks for making me reconsider this.

However, I would be happy to receive any patches that add support for bcrypt to
*actually* fix this.

Best,
-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

next prev parent reply	other threads:[~2016-10-15 21:48 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-15  8:16 IT Superhack
2016-10-15 21:48 ` Michael Tremer [this message]
2016-10-23 14:21   ` htpasswd: message digest algorithm IT Superhack
2016-10-23 18:10     ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1476568139.9950.54.camel@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox