httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: svn commit: r829162 - /httpd/httpd/trunk/support/htpasswd.c
Date Sat, 24 Oct 2009 12:53:24 GMT
On Friday 23 October 2009, William A. Rowe, Jr. wrote:
> Isn't this platform specific?  Seems wrong.  Why not test the pw
>  and the pw+1 char to determine if this is, in fact, true.

Our documentation doesn't talk about the limit being platform 
specific. But to be save, I have changed it in r829355.

> With all our integration into openssl maybe we should add 3des
>  strong crypt for all platforms that don't otherwise offer it?  So
>  much easier now that the rules about crypto munitions in open
>  source have been relaxed.

The apr1 md5 algorithm seems secure enough. I don't think there is 
need for another proprietary password hash algorithm. But it may be 
nice to add support for whatever is used by linux/*BSD/solaris 
nowadays. bcrypt/crypt_blowfish [1] (included in recent *BSD and 
others) would be especially interesting in that it allows to adjust 
the processing cost for a password check while staying backward 
compatible.


[1] http://www.openwall.com/crypt/

Mime
View raw message