| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.1.7 |
| Request #21099 | [patch] bcrypt hashing for Apache | ||
|---|---|---|---|
| Submitted: | 2016-07-25 00:15 UTC | ||
| From: | maddes | Assigned: | |
| Status: | Open | Package: | File_Passwd (version 1.1.7) |
| PHP Version: | 5.6.23 | OS: | Debian 8 Jessie |
| Roadmaps: | (Not assigned) | ||
[2016-07-25 00:15 UTC] maddes
(Maddes Buecher)
Description:
------------
File/Passwd[.php|/AuthBasic.php] does not support the recommended bcrypt hashing ($2y$nn$) for passwords in .htpasswd files.
Blowfish $2y$ for bcrypt is supported by PHP since 5.3.7 (see changelog at http://php.net/manual/en/function.crypt.php)
A patch is attached that adds this functionality.
Comments
[2016-08-08 19:42 UTC] maddes
(Maddes Buecher)
The patch also...
...determines the password type from the prefix/salt in function verifyPasswd. This is necessary to verify a password which is not encrypted with the current encryption mode.
Example_ you ask your users to change their passwords to convert them from SHA/MD5 to BCRYPT.
...use MD5 as default in Authbasic.php, as SHA is insecure and DES is not available on Windows.