Roy T. Fielding wrote: > On Oct 19, 2009, at 1:53 PM, s...@apache.org wrote: > >> Author: sf >> Date: Mon Oct 19 20:53:04 2009 >> New Revision: 826805 >> >> URL: http://svn.apache.org/viewvc?rev=826805&view=rev >> Log: >> Change the default algorithm for htpasswd to MD5 on all platforms. Crypt >> with its 8 character limit is not useful anymore. > > I think it is odd that an interface change like this would > be made without discussion on list. What will it break for > existing configs? And if we are going to change the default, > then we might as well change it to something other than MD5, > or at least use extended crypt when available.
Precisely; at least SHA1 is both portable, and slightly more resilient than MD5.