Hi,

On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote:
> Hello Michael,
> hello Development-List (in CC),
> 
> sorry for rehashing the issue: At 2016-10-06 I summarized
> my findings about htpasswd and its lack of bcrypt. Unfortunately,
> the bcrypt message digest algorithm is only available in
> the htpasswd version provided by the Apache Web Server (version
> 2.4.4 or later).
> 
> Since it uses SHA *without any salt*, it seems to be more
> secure in my point of view to use the MD5 method instead, where
> a salt is used.

I agree with this. Although not optimal, this is probably the option with better
security (assuming to BF against rainbow table).

I added some more details to the commit message:
  http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=96473f525dcec4115b9bab0b305ff5b92194b134

> Thereof I kindly ask you to revert the commit
> #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes
> were introduced. I know the developers are busy because of
> Core Update 106, and it can always happen that something slips
> through the fingers. :-)
> 
> Thanks and best regards,
> Timmothy Wilson

Thanks for making me reconsider this.

However, I would be happy to receive any patches that add support for bcrypt to
*actually* fix this.

Best,
-Michael