On 10/25/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hello, > > Joshua Slive <[EMAIL PROTECTED]> wrote: > > The password formats are described in detail here: > > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html > > Thanks, that explains a lot. But why are Crypt and MD5 hashes > salted, and SHA is not?
I don't know the answer to that one. Cryptography is not my thing. But I suspect that sha is hard to reverse even without the sale. > Crypt seems like a bad choice since it only uses the first 8 > characters of the password. I'd prefer not to use it. I won't have > any problems if I use MD5 or SHA on a modern GNU/Debian or Ubuntu > server, will I? Nope. Shouldn't be any problem at all. > Is this correct: If AuthType is set to Basic, then the password is > sent in plain text, and no support for Crypt/MD5/SHA in the browser > is needed, it's only needed on the server? It's base64 encoded, rather than plain text. But the effect is the same. So yes, the client doesn't need any of these functions for basic auth. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
