Bug#606958: Truncation with passwords generated with htpasswd
Sorry for the late response
On Monday 13 December 2010, Daniel Bareiro wrote:
> > Yes, that is described in the htpasswd man page. The recommended
> > algorithm is apr_md5 (the SHA algorithm does not use a salt and
> > is less secure). The default will be changed in Apache 2.4.
>
> When you say "apr_md5", do you mean to use "htpasswd -m"? At least
> that's the only md5 form I see in htpasswd from Lenny 5.0.7.
Yes, that's the one. It's md5 done 1000 times over, which makes it
difficult to brute force, and it uses a salt, which makes dictionary
attacks difficult. The sha option in htpasswd is only one round of
sha1 and no salt.
>
> I was looking for some reference on the new default to be taken
> into Apache 2.4, but I could not find it. You will have it at
> hand?
search for htpasswd in
http://httpd.apache.org/docs/trunk/upgrading.html
Reply to: