httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [users@httpd] httpd authentication
Date Thu, 01 Jun 2006 22:45:22 GMT
Apache MD5 hashes are refolded in such a way that they are expected but not
proven to be less breakable than a straight MD5 hash, and most certainly
expected to be less reducable than direct MD5 collision prediction.

However, a straight (not refolded) flavor of SHA1 is also available and you
would be encouraged to use either.

Keep in mind any method is weak to a dictionary attack using weak passwords.
And the hash attacks are only a concern if you don't take any effort to
protect the contents of your .htpasswd file, by keeping out of the htdocs/
tree, etc.

Matthew Hersant wrote:
> |*A question regarding httpd authentication.  Currently I am using the 
> default base64 method, which I believe is insecure.  Also only the first 
> 8 characters of our passwords are actually encrypted.  We have several 
> scripts which verify passwords from the htpassword file.  Mostly using 
> the perl pack function.  I've also read about htdigest (md5), but have 
> heard this has security holes too.  The question is: I'd like to upgrade 
> our password security.  i.e. having more characters encrypted and use a 
> stronger digest for the encryption.  I would also like to stick with an 
> apache-based authentication method.  Can someone offer some suggestions?
> *|
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message