You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ma...@apache.org on 2005/10/31 10:19:20 UTC
svn commit: r329779 - /httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
Author: martin
Date: Mon Oct 31 01:19:17 2005
New Revision: 329779
URL: http://svn.apache.org/viewcvs?rev=329779&view=rev
Log:
Add random notes about possible weaknesses
Modified:
httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=329779&r1=329778&r2=329779&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Mon Oct 31 01:19:17 2005
@@ -190,6 +190,15 @@
<p>The use of the <code>-b</code> option is discouraged, since when it is
used the unencrypted password appears on the command line.</p>
+
+ <p>When using the <code>crypt()</code> algorithm, note that only the first
+ 8 characters of the password are used to form the password. If the supplied
+ password is longer, the extra characters will be silently discarded.</p>
+
+ <p>The SHA encryption format does not use salting: for a given password,
+ there is only one encrypted representation. The <code>crypt()</code> and
+ MD5 formats permute the representation by prepending a random salt string,
+ to make dictionary attacks against the passwords more difficult.</p>
</section>
<section id="restrictions"><title>Restrictions</title>