Re: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml

[Reindl Harald <h....@thelounge.net>]

Am 30.12.2013 18:07, schrieb Graham Leggett:
> On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> 
>> Does anyone disagree with the below change (not yet merged to 2.x 
>> branches)? There is a similar paragraph in howto/auth.xml that I 
>> intend to remove.
> 
> I would say digest authentication is insecure because it (to my knowledge) 
> forces you to store the password in cleartext

clearly no

[harry@srv-rhsoft:~]$ htdigest --help
Usage: htdigest [-c] passwordfile realm username
The -c flag creates a new file.

does *not* store plaintext passwords

Re: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml

[Stefan Fritsch <sf...@sfritsch.de>]

Am Montag, 30. Dezember 2013, 18:11:56 schrieb Reindl Harald:
> Am 30.12.2013 18:07, schrieb Graham Leggett:
> > On 30 Dec 2013, at 6:58 PM, Stefan Fritsch <sf...@sfritsch.de> wrote:
> >> Does anyone disagree with the below change (not yet merged to 2.x
> >> branches)? There is a similar paragraph in howto/auth.xml that I
> >> intend to remove.
> > 
> > I would say digest authentication is insecure because it (to my
> > knowledge) forces you to store the password in cleartext
> 
> clearly no
> 
> [harry@srv-rhsoft:~]$ htdigest --help
> Usage: htdigest [-c] passwordfile realm username
> The -c flag creates a new file.
> 
> does *not* store plaintext passwords

True, but as with the hash transmitted over the wire, the hash used in 
the digest file is just a single round of md5 which can easily be 
brute forced. Also, if the hashed string in the htdigest file is 
known, one can use it for digest authentication without knowing the 
real password.

The insecure password storage is definitely another reason not to use 
digest auth. I will add that to the docs, too.