Apache MD5 hashes are refolded in such a way that they are expected but not
proven to be less breakable than a straight MD5 hash, and most certainly
expected to be less reducable than direct MD5 collision prediction.
However, a straight (not refolded) flavor of SHA1 is also available and you
would be encouraged to use either.
Keep in mind any method is weak to a dictionary attack using weak passwords.
And the hash attacks are only a concern if you don't take any effort to
protect the contents of your .htpasswd file, by keeping out of the htdocs/
tree, etc.
Matthew Hersant wrote:
|*A question regarding httpd authentication. Currently I am using the
default base64 method, which I believe is insecure. Also only the first
8 characters of our passwords are actually encrypted. We have several
scripts which verify passwords from the htpassword file. Mostly using
the perl pack function. I've also read about htdigest (md5), but have
heard this has security holes too. The question is: I'd like to upgrade
our password security. i.e. having more characters encrypted and use a
stronger digest for the encryption. I would also like to stick with an
apache-based authentication method. Can someone offer some suggestions?
*|
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
