Hi, On Sun, 2016-10-23 at 14:21 +0000, IT Superhack wrote: > Hello Michael, > > sorry for the late reply. > > Michael Tremer: > > > > Hi, > > > > On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote: > > > > > > Hello Michael, > > > hello Development-List (in CC), > > > > > > sorry for rehashing the issue: At 2016-10-06 I summarized > > > my findings about htpasswd and its lack of bcrypt. Unfortunately, > > > the bcrypt message digest algorithm is only available in > > > the htpasswd version provided by the Apache Web Server (version > > > 2.4.4 or later). > > > > > > Since it uses SHA *without any salt*, it seems to be more > > > secure in my point of view to use the MD5 method instead, where > > > a salt is used. > > > > I agree with this. Although not optimal, this is probably the option with > > better > > security (assuming to BF against rainbow table). > I'm afraid, yes. > > > > > > I added some more details to the commit message: > >   http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=96473f525dcec4115b9 > > bab0b305ff5b92194b134 > > > > > > > > Thereof I kindly ask you to revert the commit > > > #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes > > > were introduced. I know the developers are busy because of > > > Core Update 106, and it can always happen that something slips > > > through the fingers. :-) > > > > > > Thanks and best regards, > > > Timmothy Wilson > > > > Thanks for making me reconsider this. > You're welcome. > > Could you please correct the release announcement of the 106 beta version, > too? It says > in the "misc" section that the hash algorithm has been changed. I guess it is > an > older version. This is actually referring to this commit: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=da314725051fe0ebf56fd9d28dae78ab7406c6f4 I removed the "admin" part which never should have been mentioned. > > > > > > However, I would be happy to receive any patches that add support for bcrypt > > to > > *actually* fix this. > As I said, this depends on Apache, which is a bigger task (and probably > way too big for me). Sorry. > > > > > > Best, > > -Michael > > > Best regards, > Timmothy Wilson -Michael