Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 7 Jul 2008 17:44:24 +0200
From:      Mel <fbsd.questions@rachie.is-a-geek.net>
To:        freebsd-questions@freebsd.org
Cc:        Jos Chrispijn <jos@webrz.net>, Bill Moran <wmoran@potentialtech.com>
Subject:   Re: .htaccess or OS related?
Message-ID:  <200807071744.24986.fbsd.questions@rachie.is-a-geek.net>
In-Reply-To: <20080707084647.9a426e86.wmoran@potentialtech.com>
References:  <001201c8e02b$9c6e9ed0$d54bdc70$@net> <002301c8e02d$7f4fde70$7def9b50$@net> <20080707084647.9a426e86.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Monday 07 July 2008 14:46:47 Bill Moran wrote:
> In response to "Jos Chrispijn" <jos@webrz.net>:
> > Bill,
> >
> > > -----Original Message-----
>
> Keep the list in the loop on replies.
>
> > > The algorithm is part of Apache and has little or nothing to do with
> > > the OS on which it runs.
> >
> > I see, so .htpasswd is an Apache utility then; didn't know that.
> >
> > > And the encryption used to store passwords in .htaccess files is known
> > > to be weak.  If you need something strong, look to one of the other
> > > mod_* security packages instead of .htaccess passwords.
> >
> > What other mod_* security package would you recommend?
>
> I won't _recommend_ anything.  However, I will point out that there's a
> mod_ldap, mod_auth_kerb, and mod_auth_pam.  There are probably others
> that I'm forgetting.

The encryption of htpasswd files is only a concern, when:
- the password databases themselves are downloadable
- you have a shared host and local users have access to your password 
databases

Using one of the modules described above, won't solve anything (as you can 
still store the passwords in md5 or even weaker hash) and will need support 
from your hosting provider. Those modules are meant to centralize user 
management, not to increase password encryption.

If you want to improve the hash with which password are stored, then use 
the '-s' option to htpasswd(1), which will use SHA, rather then MD5. If you 
want to protect your users more, then you should use mod_auth_digest, which 
instructs the browser to hash it's password before sending it over the 
internet.
-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807071744.24986.fbsd.questions>