Apache MD5 hashes are refolded in such a way that they are expected but not proven to be less breakable than a straight MD5 hash, and most certainly expected to be less reducable than direct MD5 collision prediction. However, a straight (not refolded) flavor of SHA1 is also available and you would be encouraged to use either. Keep in mind any method is weak to a dictionary attack using weak passwords. And the hash attacks are only a concern if you don't take any effort to protect the contents of your .htpasswd file, by keeping out of the htdocs/ tree, etc. Matthew Hersant wrote:
|*A question regarding httpd authentication. Currently I am using the default base64 method, which I believe is insecure. Also only the first 8 characters of our passwords are actually encrypted. We have several scripts which verify passwords from the htpassword file. Mostly using the perl pack function. I've also read about htdigest (md5), but have heard this has security holes too. The question is: I'd like to upgrade our password security. i.e. having more characters encrypted and use a stronger digest for the encryption. I would also like to stick with an apache-based authentication method. Can someone offer some suggestions?*| __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx