User: Password:
|
|
Subscribe / Log in / New account

Responsible disclosure in open source: The crypt() vulnerability

Responsible disclosure in open source: The crypt() vulnerability

Posted Jun 8, 2012 15:14 UTC (Fri) by epa (subscriber, #39769)
In reply to: Responsible disclosure in open source: The crypt() vulnerability by dps
Parent article: Responsible disclosure in open source: The crypt() vulnerability

I kind of trusted that the Apache developers would know what they were doing and the 'htpasswd' files supported by Apache would use a good-quality salted hash.

As for sending passwords over the wire, I suppose that in principle you could use some awesome piece of Javascript to implement a zero-knowledge proof, but surely 99.999% of HTML password forms out there on the web just send the password back to the server anyway.

HTTP digest authentication uses salted MD5, which is not ideal but not awful.


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds