httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: Apache 1.3a1 Authentification (re) (fwd)
Date Fri, 15 Aug 1997 22:56:17 GMT
On Fri, 15 Aug 1997, Paul Sutton wrote:

> The point with Unix crypt() is that you can (a) publish the source doe and
> (b) make the salt (key) readily available and it is *still* a one-way
> function. That is you can never get the original back, even with full
> knowledge. So no-one can ever decrypt your Unix password (of course, they
> can try encrypting and comparing, like crack does, but that is another
> matter). With the NT encryption calls, unless I am missing something,
> anyone can take your encrypted htpasswd file and keys onto a new system,
> write a program to call the decrypt() function and get your passwords. I
> would guess this is an aceptable level of security for NT systems. 

I suspect there's something that can be done. What if you encrypted the
password, using the password itself as the key. Then you couldn't
unencyrpt it to find the password unless you knew it already. When you
got a password, you'd encrypt that with itself, and see if it matched
your already-encrypted password.

It's reverse of the way Unix crypt() does it, but I think that would work.

-- Alexei Kosut <>

View raw message