15 Oct
2016
15 Oct
'16
8:16 a.m.
Hello Michael, hello Development-List (in CC),
sorry for rehashing the issue: At 2016-10-06 I summarized my findings about htpasswd and its lack of bcrypt. Unfortunately, the bcrypt message digest algorithm is only available in the htpasswd version provided by the Apache Web Server (version 2.4.4 or later).
Since it uses SHA *without any salt*, it seems to be more secure in my point of view to use the MD5 method instead, where a salt is used.
Thereof I kindly ask you to revert the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes were introduced. I know the developers are busy because of Core Update 106, and it can always happen that something slips through the fingers. :-)
Thanks and best regards, Timmothy Wilson