httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rasmus Lerdorf <>
Subject Re: basic auth broken
Date Tue, 02 Feb 1999 19:01:40 GMT
> So it sounds as though we should branch off and not try to
> make our portable passwords be recognisable as using the
> same algorithm as anyone else's.  I.e., use our own unique
> significator (and beef up our encyption a bit).  If it happens
> that ours is identical to FreeBSD's, at least we're not
> claiming it's the same as any other MD5 algorithm.
> How about directly copying FreeBSD's, but changing the format
> to '$apr1$<salt>$<hash>'?  That gives some room for
> growth.

I think that would be safe.  And if you use the same length of SALT as the
FreeBSD implementation, if someone really needed to migrate a password
file from one to the other they could simply do a s/apr1/1/
and it should work.


View raw message