From owner-freebsd-questions@FreeBSD.ORG Mon Jul 7 15:44:27 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCB2C106568B for ; Mon, 7 Jul 2008 15:44:27 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 814DE8FC0C for ; Mon, 7 Jul 2008 15:44:27 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 2AD041CD18; Mon, 7 Jul 2008 07:44:26 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Mon, 7 Jul 2008 17:44:24 +0200 User-Agent: KMail/1.9.7 References: <001201c8e02b$9c6e9ed0$d54bdc70$@net> <002301c8e02d$7f4fde70$7def9b50$@net> <20080707084647.9a426e86.wmoran@potentialtech.com> In-Reply-To: <20080707084647.9a426e86.wmoran@potentialtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807071744.24986.fbsd.questions@rachie.is-a-geek.net> Cc: Jos Chrispijn , Bill Moran Subject: Re: .htaccess or OS related? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2008 15:44:27 -0000 On Monday 07 July 2008 14:46:47 Bill Moran wrote: > In response to "Jos Chrispijn" : > > Bill, > > > > > -----Original Message----- > > Keep the list in the loop on replies. > > > > The algorithm is part of Apache and has little or nothing to do with > > > the OS on which it runs. > > > > I see, so .htpasswd is an Apache utility then; didn't know that. > > > > > And the encryption used to store passwords in .htaccess files is known > > > to be weak. If you need something strong, look to one of the other > > > mod_* security packages instead of .htaccess passwords. > > > > What other mod_* security package would you recommend? > > I won't _recommend_ anything. However, I will point out that there's a > mod_ldap, mod_auth_kerb, and mod_auth_pam. There are probably others > that I'm forgetting. The encryption of htpasswd files is only a concern, when: - the password databases themselves are downloadable - you have a shared host and local users have access to your password databases Using one of the modules described above, won't solve anything (as you can still store the passwords in md5 or even weaker hash) and will need support from your hosting provider. Those modules are meant to centralize user management, not to increase password encryption. If you want to improve the hash with which password are stored, then use the '-s' option to htpasswd(1), which will use SHA, rather then MD5. If you want to protect your users more, then you should use mod_auth_digest, which instructs the browser to hash it's password before sending it over the internet. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.