apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: digest functions and validation - part 2
Date Fri, 09 May 2014 07:22:38 GMT
On Mon, 5 May 2014, Helmut Tessarek wrote:

> I really would like to know, if and why the httpd and apr developers think
> that md5 and sha1 are safe choices to be used for hashing passwords.

No. But which password hashing algorithmis are used/supported by 
apr_password_validate() is rather unrelated to which digest functions are 
made available with a public interface. For password hashing, apr-util has 
been supporting bcrypt since version 1.5.

What is missing is the support in httpd 2.2's htpasswd to generate hashes 
with bcrypt. And even in 2.4, bcrypt is not yet used by default. Both 
things should be changed, but are entirely unrelated to apr.


View raw message