Am Montag, 30. Dezember 2013, 18:11:56 schrieb Reindl Harald: > Am 30.12.2013 18:07, schrieb Graham Leggett: > > On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <[email protected]> wrote: > >> Does anyone disagree with the below change (not yet merged to 2.x > >> branches)? There is a similar paragraph in howto/auth.xml that I > >> intend to remove. > > > > I would say digest authentication is insecure because it (to my > > knowledge) forces you to store the password in cleartext > > clearly no > > [harry@srv-rhsoft:~]$ htdigest --help > Usage: htdigest [-c] passwordfile realm username > The -c flag creates a new file. > > does *not* store plaintext passwords
True, but as with the hash transmitted over the wire, the hash used in the digest file is just a single round of md5 which can easily be brute forced. Also, if the hashed string in the htdigest file is known, one can use it for digest authentication without knowing the real password. The insecure password storage is definitely another reason not to use digest auth. I will add that to the docs, too.
