Bug#469271: apache2-utils: htpasswd salt generation weakness
Hi Martin,
On Tuesday 04 March 2008, Martin Steigerwald wrote:
> htpasswd does weak password salt generation.
the problem is not very severe. Unless an attacker wants to crack a
significant number of passwords that were created in the same second
(and therefore got the same salt), this weakness is not going to help
him. And even the only 20-25 bits of salt effectively used by
htpasswd make precomputing rainbowtables for all salt values
infeasible.
There was also some discussion on bugtraq about this:
http://www.securityfocus.com/archive/1/488123/30/30/threaded
I agree that this should be fixed in testing/unstable, but I don't
think an update for etch is necessary.
Cheers,
Stefan
Reply to: