Mailing List Archive: Apache: Dev

Authentication Basic default format

Index | Next | Previous | View Threaded

jholguin at pentester

Oct 21, 2009, 2:07 AM

Post #1 of 2 (128 views)
Permalink

Authentication Basic default format

Hi,

I have a question about htpasswd when creating password hashes for
"Basic Authentication". Why there isn't any warning message regarding
password truncate to 8 characters?

As you can see at your own documentation
(http://httpd.apache.org/docs/2.2/misc/password_encryptions.html),
OpenSSL is already warning us about this issue.

In my opinion htpasswd command must show a warning message like
OpenSSL does. Do you agree?

Thanks in advance.
Regards

--
José Miguel Holguín
Security Technical Consultant
Carnegie Mellon Certified (FIH)

http://www.pentester.es

sf at sfritsch

Oct 23, 2009, 11:16 AM

Post #2 of 2 (103 views)
Permalink

Re: Authentication Basic default format [In reply to]

On Wednesday 21 October 2009, José Miguel Holguín Aparicio wrote:
> I have a question about htpasswd when creating password hashes for
> "Basic Authentication". Why there isn't any warning message
> regarding password truncate to 8 characters?
>
> As you can see at your own documentation
> (http://httpd.apache.org/docs/2.2/misc/password_encryptions.html),
> OpenSSL is already warning us about this issue.
>
>
> In my opinion htpasswd command must show a warning message like
> OpenSSL does. Do you agree?

Yes. Commited to trunk as r829162.

Cheers,
Stefan

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com