httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel Butler <>
Subject Re: md5crypt passwords
Date Thu, 21 Jun 2012 03:42:31 GMT
On Wed, 2012-06-20 at 22:52 +0200, Stefan Fritsch wrote:

> On Wed, 20 Jun 2012, Nick Edwards wrote:
> > I posted this to users list last week but no-one bit, so I'm trying here.
> >
> > With md5crypt no longer recommended for use by its author, will Apache
> > soon support sha256/sha512 in basic authentication via MySQL.
> Note that it does not really matter that much which hash algorithm is 
> used. The number of rounds is more important. APR-MD5 ("$apr1$") does 1000 
> times recursive md5 (which is 1000 times more secure in terms of brute 
> forcing than plain md5). We should switch to something that needs more 
> processing time so that it is more difficult to brute force.

yup, I'm not a crypto expert but IIRC sha512 by default uses rounds=5000
(if not rounds= is not specified)

I brought this up with (I think it was) Bill, a year ago (using SHA2)
and at that time there were no plans, however, in light of recent
events, I'd agree it needs to be revisited.

> >
> > For Mail and FTP, we are _now_ successfully using  crypt($password,
> > '$6$' . $16charsalt) for sha512, be nice if Apache basic auth would
> > too!
> APR passes everything it doesn't know to the system's crypt() function. So 
> chances are good that using $6$... already works for you. However, there 
> is currently no way to create such hashes with htpasswd.

If the OP is using crypt() correctly with a modern nix OS it certainly
will, I've been using sha512 for a while.
I'm surprised he did not just "try it", he might have had his answer a
week ago.

in perl I've been using

$psalt=  join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[map {rand 64}
$epass = crypt($PASS, '$6$' . $psalt);

the end result will be readable by httpd to auth users

In php, I've used 

$psalt = uniqid(16);    <-- yes i know a bad cheat :) ... but I'm far
from knowledgeable with php
$epass = crypt($PASS,'$6$'.$csalt);

View raw message