DO NOT REPLY [Bug 49288] Add support for stronger cryptographic hashing functions

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=49288

--- Comment #2 from dmagda+asf@ee.ryerson.ca 2012-01-31 19:16:09 UTC ---
(In reply to comment #0)
> APR (and thus htpasswd) currently only supports crypt(), MD5, and SHA1-based
> passwords.  Moore's law and algorithmic improvements are increasingly making
> passwords stored in those hash functions vulnerable to cracking.
> 
> It would be beneficial if there were stronger hash functions such as
> sha256/512, whirlpool, or pbkdf2 available for use.

Another option would be to call the system crypt() function and leverage any
capabilities it has with stronger hashes.

So for the ALG_CRYPT case in htpasswd.c's mkrecord(), instead of just calling
rand() to generate the salt, one would call generate_salt() and preprend
"$2a$", "$5$", or "$6$" to it so that the system starts using a different
algorithm.

This may not work on all platforms (e.g., Solaris 8, AIX 5L), but for any Unix
revision released in the last ten years it should be okay.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org