You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/06/22 16:56:47 UTC
svn commit: r1352910 - in /httpd/httpd/trunk:
docs/manual/programs/htpasswd.xml support/htpasswd.c
Author: sf
Date: Fri Jun 22 14:56:44 2012
New Revision: 1352910
URL: http://svn.apache.org/viewvc?rev=1352910&view=rev
Log:
note more prominently that SHA and crypt are insecure
Modified:
httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
httpd/httpd/trunk/support/htpasswd.c
Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=1352910&r1=1352909&r2=1352910&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Fri Jun 22 14:56:44 2012
@@ -108,11 +108,13 @@ distribution.</seealso>
<dt><code>-d</code></dt>
<dd>Use <code>crypt()</code> encryption for passwords. This is not
supported by the <program>httpd</program> server on Windows and
- Netware.</dd>
+ Netware. This algorithm limits the password length to 8 characters.
+ This algorithm is <strong>insecure</strong> by today's standards.</dd>
<dt><code>-s</code></dt>
<dd>Use SHA encryption for passwords. Facilitates migration from/to Netscape
- servers using the LDAP Directory Interchange Format (ldif).</dd>
+ servers using the LDAP Directory Interchange Format (ldif).
+ This algorithm is <strong>insecure</strong> by today's standards.</dd>
<dt><code>-p</code></dt>
<dd>Use plaintext passwords. Though <code>htpasswd</code> will support
@@ -200,6 +202,9 @@ distribution.</seealso>
there is only one encrypted representation. The <code>crypt()</code> and
MD5 formats permute the representation by prepending a random salt string,
to make dictionary attacks against the passwords more difficult.</p>
+
+ <p>The SHA and <code>crypt()</code> formats are insecure by today's
+ standards.</p>
</section>
<section id="restrictions"><title>Restrictions</title>
Modified: httpd/httpd/trunk/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=1352910&r1=1352909&r2=1352910&view=diff
==============================================================================
--- httpd/httpd/trunk/support/htpasswd.c (original)
+++ httpd/httpd/trunk/support/htpasswd.c Fri Jun 22 14:56:44 2012
@@ -283,9 +283,10 @@ static void usage(void)
" (default)"
"." NL);
apr_file_printf(errfile, " -d Force CRYPT encryption of the password"
- "." NL);
+ " (8 chars max, insecure)." NL);
apr_file_printf(errfile, " -p Do not encrypt the password (plaintext)." NL);
- apr_file_printf(errfile, " -s Force SHA encryption of the password." NL);
+ apr_file_printf(errfile, " -s Force SHA encryption of the password"
+ " (insecure)." NL);
apr_file_printf(errfile, " -b Use the password from the command line "
"rather than prompting for it." NL);
apr_file_printf(errfile, " -D Delete the specified user." NL);