From mboxrd@z Thu Jan 1 00:00:00 1970 From: IT Superhack To: development@lists.ipfire.org Subject: htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e) Date: Sat, 15 Oct 2016 08:16:00 +0000 Message-ID: <94772ee3-4db0-4752-80c2-7c0a80f7b25f@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5853274779856942864==" List-Id: --===============5853274779856942864== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello Michael, hello Development-List (in CC), sorry for rehashing the issue: At 2016-10-06 I summarized my findings about htpasswd and its lack of bcrypt. Unfortunately, the bcrypt message digest algorithm is only available in the htpasswd version provided by the Apache Web Server (version 2.4.4 or later). Since it uses SHA *without any salt*, it seems to be more secure in my point of view to use the MD5 method instead, where a salt is used. Thereof I kindly ask you to revert the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes were introduced. I know the developers are busy because of Core Update 106, and it can always happen that something slips through the fingers. :-) Thanks and best regards, Timmothy Wilson --===============5853274779856942864== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRWNCQUVCQ2dBR0JRSllBZVhqQUFvSkVP eUxhMUM1RWF6cnUrSUlBSTRZNi96SGdhK2N2ZmNBeGhrYThaK1cKaFpiR0QzTG1QK214amU1cTlp Y3pOOWU3ZFZoUzJzMjd3TVNpd0VsczA0Y0JheUN5Zkx0MWNNSFFrTlMxNnlSbwpwcVBncSs1YktC aXp5ZVA2MGluWkZRZ0tycnQ2Q3FEa2NtSlk3OVRvUExTOUtlZ21CcVpWSWFQQnVSMUNYejhTCmFx dWlMVmI4ejFwZ3NxZVpEYjJYK05wOWxYTEtOUENsYms0MXJ4YmtQVmJDdm5YVGVraUcvdW9WUEMz dVJrQkoKZEE4bGJiWFZ2WlVlRkFvYXpWem4xVFhFZWZDaU1ZUHdBZVdVdjZYdHNsTnRZbzErOWRM QVdTQmxKSjQ0cURQVAo1aXBxT0R0dXBsUklNQXN3YVdBN0cwazR0K3g3eHMrbTZxVE90U0VsK00w enJacVNxTkVVdGRWWUJsQlcwN0E9Cj1SMjFnCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============5853274779856942864==--