You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "TD - Sales International Holland B.V." <td...@salesint.com> on 2002/01/03 12:39:43 UTC
htpasswd and different kinds of encryption
Hey there,
first off all, please CC me, as I didn't join the list. Sorry about that, but
I receive too much email already ( >1000 msgs a day :-(()
Anyways, my question is fairly simple. I had a look at the htpasswd man page
and as far as I can see it supports 3 encryption types, CRYPT, MD5 & SHA.
Crypt being the default, and MD5 would be a modified version of MD5 for
apache. Now what I'd like to know is, which encryption standard is the
strongest. (thus which one takes the longest if it's brute forced). The
reason I'm asking is that I want to make my server as secure as possible.
Ofcourse I should make sure the .htpasswd file can't be retrieved in the
first place, but just in case it happens anyways I want to maximize the time
it will take the attacker to brute force the password file.
Thanks in advance.
Kind regards,
Ferry van Steen
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: htpasswd and different kinds of encryption
Posted by "TD - Sales International Holland B.V." <td...@salesint.com>.
On Thursday 03 January 2002 16:45, you wrote:
First of thanks to Bill for the reply and please CC me as I'm not a member on
the list (td@salesint.com) thanks in advance and sorry for the trouble.
(Perhaps reply all works though :-))
It might be true that MD5 is one-way, but encrypting it is really fast and
you could easily write something to brute force it. And small passwords (like
4 or 5 letters) WILL be found really fast by brute force. I'll have to check,
but I think it's safe to assume that today's CPU's can easily MD5 crypt over
100 passwords a second. That's already 6000 possibilities in a minute and
already 360000 in an hour. I think it might go even way faster.... All that
needs to be done is compare the crypts to the already encrypted password file
once you have a match you know the password....
Then again.... I don't think using a stronger algorythm will slow down the
brute force that much for simple passwords :/
Any suggestions/comments?
> On Thu, 2002-01-03 at 06:39, TD - Sales International Holland B.V.
>
> wrote:
> > I had a look at the htpasswd man page
> > and as far as I can see it supports 3 encryption types, CRYPT, MD5 & SHA.
> > Crypt being the default, and MD5 would be a modified version of MD5 for
> > apache. Now what I'd like to know is, which encryption standard is the
> > strongest.
> >
> > Ferry van Steen
>
> Ferry, most crypto-type stuff I've read (I studied crypto in college for
> a masters degree, but have never analyzed this particular thing) has
> stated that for md5 is probably the best storage method for short
> passwords, since it is one-way - that is there is no known mathematical
> way to get the original plaintext from the resultant coded text.
>
> That said, I believe you're far more likely for someone to guess a
> poorly chosen password with any of the crypto techniques mentioned than
> they are to break any of them through analysis, so enforcing good
> password rules is probably where you have the best results.
>
> Billy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org