Return-Path: 
 <cvs-return-23461-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 81516 invoked from network); 31 Oct 2005 14:46:26 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 31 Oct 2005 14:46:26 -0000
Received: (qmail 71124 invoked by uid 500); 31 Oct 2005 14:46:25 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 71025 invoked by uid 500); 31 Oct 2005 14:46:23 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 71010 invoked by uid 99); 31 Oct 2005 14:46:23 -0000
X-ASF-Spam-Status: No, hits=-9.4 required=10.0
	tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194)
    by apache.org (qpsmtpd/0.29) with SMTP; Mon, 31 Oct 2005 06:46:23 -0800
Received: (qmail 34129 invoked by uid 65534); 31 Oct 2005 09:19:21 -0000
Message-ID: <20051031091921.34128.qmail@minotaur.apache.org>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r329779 -
 /httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
Date: Mon, 31 Oct 2005 09:19:20 -0000
To: cvs@httpd.apache.org
From: martin@apache.org
X-Mailer: svnmailer-1.0.5
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Author: martin
Date: Mon Oct 31 01:19:17 2005
New Revision: 329779

URL: http://svn.apache.org/viewcvs?rev=329779&view=rev
Log:
Add random notes about possible weaknesses

Modified:
    httpd/httpd/trunk/docs/manual/programs/htpasswd.xml

Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=329779&r1=329778&r2=329779&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Mon Oct 31 01:19:17 2005
@@ -190,6 +190,15 @@
 
     <p>The use of the <code>-b</code> option is discouraged, since when it is
     used the unencrypted password appears on the command line.</p>
+
+    <p>When using the <code>crypt()</code> algorithm, note that only the first
+    8 characters of the password are used  to form the password. If the supplied
+    password is longer, the extra characters will be silently discarded.</p>
+
+    <p>The SHA encryption format does not use salting: for a given password,
+    there is only one encrypted representation. The <code>crypt()</code> and
+    MD5 formats permute the representation by prepending a random salt string,
+    to make dictionary attacks against the passwords more difficult.</p>
 </section>
 
 <section id="restrictions"><title>Restrictions</title>