apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49288] Add support for stronger cryptographic hashing functions
Date Tue, 31 Jan 2012 19:16:09 GMT

--- Comment #2 from dmagda+asf@ee.ryerson.ca 2012-01-31 19:16:09 UTC ---
(In reply to comment #0)
> APR (and thus htpasswd) currently only supports crypt(), MD5, and SHA1-based
> passwords.  Moore's law and algorithmic improvements are increasingly making
> passwords stored in those hash functions vulnerable to cracking.
> It would be beneficial if there were stronger hash functions such as
> sha256/512, whirlpool, or pbkdf2 available for use.

Another option would be to call the system crypt() function and leverage any
capabilities it has with stronger hashes.

So for the ALG_CRYPT case in htpasswd.c's mkrecord(), instead of just calling
rand() to generate the salt, one would call generate_salt() and preprend
"$2a$", "$5$", or "$6$" to it so that the system starts using a different

This may not work on all platforms (e.g., Solaris 8, AIX 5L), but for any Unix
revision released in the last ten years it should be okay.

Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

View raw message