LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Responsible disclosure in open source: The crypt() vulnerability

Responsible disclosure in open source: The crypt() vulnerability

Posted Jun 8, 2012 15:14 UTC (Fri) by epa (subscriber, #39769)
In reply to: Responsible disclosure in open source: The crypt() vulnerability by dps
Parent article: Responsible disclosure in open source: The crypt() vulnerability

I kind of trusted that the Apache developers would know what they were doing and the 'htpasswd' files supported by Apache would use a good-quality salted hash.

As for sending passwords over the wire, I suppose that in principle you could use some awesome piece of Javascript to implement a zero-knowledge proof, but surely 99.999% of HTML password forms out there on the web just send the password back to the server anyway.

HTTP digest authentication uses salted MD5, which is not ideal but not awful.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds