[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#606958: Truncation with passwords generated with htpasswd

Sorry for the late response

On Monday 13 December 2010, Daniel Bareiro wrote:
> > Yes, that is described in the htpasswd man page. The recommended
> > algorithm is apr_md5 (the SHA algorithm does not use a salt and
> > is less secure). The default will be changed in Apache 2.4.
> 
> When you say "apr_md5", do you mean to use "htpasswd -m"? At least
> that's the only md5 form I see in htpasswd from Lenny 5.0.7.

Yes, that's the one. It's md5 done 1000 times over, which makes it 
difficult to brute force, and it uses a salt, which makes dictionary 
attacks difficult. The sha option in htpasswd is only one round of 
sha1 and no salt.

> 
> I was looking for some reference on the new default to be taken
> into Apache 2.4, but I could not find it. You will have it at
> hand?

search for htpasswd in 
http://httpd.apache.org/docs/trunk/upgrading.html
Reply to: