Re: [users@httpd] httpd authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Apache MD5 hashes are refolded in such a way that they are expected but not
proven to be less breakable than a straight MD5 hash, and most certainly
expected to be less reducable than direct MD5 collision prediction.

However, a straight (not refolded) flavor of SHA1 is also available and you
would be encouraged to use either.

Keep in mind any method is weak to a dictionary attack using weak passwords.
And the hash attacks are only a concern if you don't take any effort to
protect the contents of your .htpasswd file, by keeping out of the htdocs/
tree, etc.


Matthew Hersant wrote:
|*A question regarding httpd authentication. Currently I am using the default base64 method, which I believe is insecure. Also only the first 8 characters of our passwords are actually encrypted. We have several scripts which verify passwords from the htpassword file. Mostly using the perl pack function. I've also read about htdigest (md5), but have heard this has security holes too. The question is: I'd like to upgrade our password security. i.e. having more characters encrypted and use a stronger digest for the encryption. I would also like to stick with an apache-based authentication method. Can someone offer some suggestions?
*|

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux