Bug#469271: apache2-utils: htpasswd salt generation weakness

To: Martin Steigerwald <ms@teamix.de>
Cc: 469271@bugs.debian.org
Subject: Bug#469271: apache2-utils: htpasswd salt generation weakness
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sat, 8 Mar 2008 11:45:41 +0100
Message-id: <[🔎] 200803081145.41948.sf@sfritsch.de>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 469271@bugs.debian.org
In-reply-to: <[🔎] 20080304101443.6179.49488.reportbug@mango>
References: <[🔎] 20080304101443.6179.49488.reportbug@mango>

Hi Martin,

On Tuesday 04 March 2008, Martin Steigerwald wrote:
> htpasswd does weak password salt generation.

the problem is not very severe. Unless an attacker wants to crack a 
significant number of passwords that were created in the same second 
(and therefore got the same salt), this weakness is not going to help 
him. And even the only 20-25 bits of salt effectively used by 
htpasswd make precomputing rainbowtables for all salt values 
infeasible.

There was also some discussion on bugtraq about this:

http://www.securityfocus.com/archive/1/488123/30/30/threaded

I agree that this should be fixed in testing/unstable, but I don't 
think an update for etch is necessary.

Cheers,
Stefan

Reply to:

References:
- Bug#469271: apache2-utils: htpasswd salt generation weakness
  - From: Martin Steigerwald <ms@teamix.de>

Prev by Date: Processed: found 469271 in 2.0.54-5
Next by Date: Processed: tagging 469271
Previous by thread: Bug#469271: apache2-utils: htpasswd salt generation weakness
Next by thread: Bug#469271: marked as done (apache2-utils: htpasswd salt generation weakness)
Index(es):
- Date
- Thread