Hi Stefan, On 6/21/12, Stefan Fritsch <[email protected]> wrote: > On Wed, 20 Jun 2012, Nick Edwards wrote: >> I posted this to users list last week but no-one bit, so I'm trying here. >> >> With md5crypt no longer recommended for use by its author, will Apache >> soon support sha256/sha512 in basic authentication via MySQL. > > Note that it does not really matter that much which hash algorithm is > used. The number of rounds is more important. APR-MD5 ("$apr1$") does 1000 > times recursive md5 (which is 1000 times more secure in terms of brute > forcing than plain md5). We should switch to something that needs more > processing time so that it is more difficult to brute force. > >> I understand the apr version is different to plain md5crypt, but it is >> based on the same thing from what I can tell, so its pointless >> upgrading our database passwords to use sha512 if Apache's still the >> weak link. >> >> All admin scripts run in perl, and we are currently doing this with >> apache_md5_crypt($password); using Crypt::PasswdMD5 >> >> For Mail and FTP, we are _now_ successfully using crypt($password, >> '$6$' . $16charsalt) for sha512, be nice if Apache basic auth would >> too! > > APR passes everything it doesn't know to the system's crypt() function. So > chances are good that using $6$... already works for you. However, there > is currently no way to create such hashes with htpasswd. >
Thanks, it does work, I did not realise this, because some time ago I tried to use our default md5cryprt password used for ftp and mail, but Apache did not like it, after much googling I found reference saying it was different and needed apr1, if it falls back why would that have failed for us? or is this fallback only something new? > > I would be for importing some state of the art scheme from some BSD. Good > schemes allow to change the number of rounds without loosing backward > compatibility. I guess bcrypt is a candidate. This new algorithm should > then be the new default. > Don't know much about bcrypt sorry. Thanks again for your help, all is now happy
