On Saturday 09 June 2007 14:09:22 Frank Jones wrote: > > A crypted > > (or better) password hash in a plain text .htaccess is a good > > idea but a database is already a binary blob so both would > > prevent trivial accidental viewing of passwords. > > This isn't directly relevant to your question, but I think it's > important to point out that while sqlite databases are binary, they > aren't really blobs. Try running "strings" on a sqlite database and > you'll see what I mean.
Yes and hacking the crypted passwords in a .htaccess file, these days, is only a step or two more complicated. Both are only good enough to "prevent trivial accidental viewing". I was pleased to note that Brian F, over a year ago, has also created a patch (and no one hacks on a module to create a patch unless they *really* want the additonal functionality) so that demonstrates there is indeed a need for plaintext passwords. The point here is should the apache devs deny this functionality to apache users, because some of them think it's not appropriate (policy not technical), when there are obviously patch(es) available ? On Saturday 09 June 2007 12:51:03 Brian J. France wrote: > I agree with Nick that is should be moved up a level, but I think to > do that it would require a re-work of all authn modules. Would it be a reasonable compromise to accept this patch in it's current state and then look into making the appropriate modifications to higher authn layers at a later stage ? This approach has the benefit of getting feedback from folks actually using plaintext passwords, in SQL backends at least, and could provide more eyeballs on the issue of migrating this change up the authn layer. Or, it could prove this is a lame duck patch that no one wants and just causes problems. I don't think the later but incremental forward movement is not a bad approach. --markc
