Sorry for the late response On Monday 13 December 2010, Daniel Bareiro wrote: > > Yes, that is described in the htpasswd man page. The recommended > > algorithm is apr_md5 (the SHA algorithm does not use a salt and > > is less secure). The default will be changed in Apache 2.4. > > When you say "apr_md5", do you mean to use "htpasswd -m"? At least > that's the only md5 form I see in htpasswd from Lenny 5.0.7.
Yes, that's the one. It's md5 done 1000 times over, which makes it difficult to brute force, and it uses a salt, which makes dictionary attacks difficult. The sha option in htpasswd is only one round of sha1 and no salt. > > I was looking for some reference on the new default to be taken > into Apache 2.4, but I could not find it. You will have it at > hand? search for htpasswd in http://httpd.apache.org/docs/trunk/upgrading.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
