From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e) Date: Sat, 15 Oct 2016 22:48:59 +0100 Message-ID: <1476568139.9950.54.camel@ipfire.org> In-Reply-To: <94772ee3-4db0-4752-80c2-7c0a80f7b25f@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0813599611167188917==" List-Id: --===============0813599611167188917== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote: > Hello Michael, > hello Development-List (in CC), >=20 > sorry for rehashing the issue: At 2016-10-06 I summarized > my findings about htpasswd and its lack of bcrypt. Unfortunately, > the bcrypt message digest algorithm is only available in > the htpasswd version provided by the Apache Web Server (version > 2.4.4 or later). >=20 > Since it uses SHA *without any salt*, it seems to be more > secure in my point of view to use the MD5 method instead, where > a salt is used. I agree with this. Although not optimal, this is probably the option with bet= ter security (assuming to BF against rainbow table). I added some more details to the commit message: =C2=A0=C2=A0http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D9647= 3f525dcec4115b9bab0b305ff5b92194b134 > Thereof I kindly ask you to revert the commit > #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes > were introduced. I know the developers are busy because of > Core Update 106, and it can always happen that something slips > through the fingers. :-) >=20 > Thanks and best regards, > Timmothy Wilson Thanks for making me reconsider this. However, I would be happy to receive any patches that add support for bcrypt = to *actually* fix this. Best, -Michael --===============0813599611167188917== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSllBcVJMQUFvSkVJQjU4UDl2a0FrSGFZc1AvaVhEVUppS3BDKzlteVVpcEg0RTR6am4K YzV5QXJoalZIV3YyR250dktwRmI4czJyU1UwbDJqbzR6aTBLMHhEcDB5RlZhY1B4Zm5WWmVEcFdq a2Z2dmRidApubXBISWl1eEJHaUIwNjJnb3ZjeW1PT1V6MVhZeXY2YW5GK3RwMnh1OUltNDRwWXZw akdZVFV6cWhtK1l0N2M2CmJ5bFF0S0Rlc2NoU0NwWDA1WTI2cGlBc3hML2gxYjY4UXc4WUhvcDJn WVNGdGVzY0xUVVY4MHNVTTNMeHBrc3IKeXIzK3FJeFRNSCsvcmJHQzlVK3h2RC83UW4yYVJpNzRN VjFHZUFVSWpUdjlDbUdYcE1sbk1hcWdlVWdnUUlrVAp1ZnBKNjBQQ3AwZnJUc2FaNTcwbzc3aUxa RVFvektTSlB1OTJQUWZGaXl2c053MzBqRFJKeWdkWVc3ekJBcTVzCnFPblBlZDQzWWRwcjZURkRn MVZ2K25UQ2JJV2ZnZXVNZGp0MnlHZkRHcDVLUlc0NDl4T2NONGNyZmFLZUQ0NDAKbVZHUzUyMUhL YXVuRzhVeEx2cWNRVXF1WkY4NTQreWFhNzZKZzJTQXdaaHFhMHNyOWRocjJFelFUUEM1Z1lKQQox b0hqU3VpMXp6NmY0UFdhRittRGR4SEY0cU1hZ3FjZldmMlFRaCtRK1c2enRJcUN3cGtQNjU2SlIz NThZdFBIClFJUy9FN3lTb3d6a1BzbGVDVjZzRXBHRUdmV0RuZzJsOU1WM0FUTzlpTlJNY2lrQkZo ZWVQSk5BeTdtYTZJTFcKV0ZsWmU4WmZVU01rVEFmYlgwQmdGR3VSYUpjR0R3TGx3SmxOcnZ2amtR WkxzcXg5QzJrUlFwUmtDcUtTbWVRcApQQ0hNK1JuY2JtWWkwajJnZG5BcQo9NTUwSQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============0813599611167188917==--