You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by ma...@apache.org on 2005/10/31 10:19:20 UTC

svn commit: r329779 - /httpd/httpd/trunk/docs/manual/programs/htpasswd.xml

Author: martin
Date: Mon Oct 31 01:19:17 2005
New Revision: 329779

URL: http://svn.apache.org/viewcvs?rev=329779&view=rev
Log:
Add random notes about possible weaknesses

Modified:
    httpd/httpd/trunk/docs/manual/programs/htpasswd.xml

Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=329779&r1=329778&r2=329779&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Mon Oct 31 01:19:17 2005
@@ -190,6 +190,15 @@
 
     <p>The use of the <code>-b</code> option is discouraged, since when it is
     used the unencrypted password appears on the command line.</p>
+
+    <p>When using the <code>crypt()</code> algorithm, note that only the first
+    8 characters of the password are used  to form the password. If the supplied
+    password is longer, the extra characters will be silently discarded.</p>
+
+    <p>The SHA encryption format does not use salting: for a given password,
+    there is only one encrypted representation. The <code>crypt()</code> and
+    MD5 formats permute the representation by prepending a random salt string,
+    to make dictionary attacks against the passwords more difficult.</p>
 </section>
 
 <section id="restrictions"><title>Restrictions</title>