Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.1.7

Request #21099 [patch] bcrypt hashing for Apache
Submitted: 2016-07-25 00:15 UTC
From: maddes Assigned:
Status: Open Package: File_Passwd (version 1.1.7)
PHP Version: 5.6.23 OS: Debian 8 Jessie
Roadmaps: (Not assigned)    
Subscription  


 [2016-07-25 00:15 UTC] maddes (Maddes Buecher)
Description: ------------ File/Passwd[.php|/AuthBasic.php] does not support the recommended bcrypt hashing ($2y$nn$) for passwords in .htpasswd files. Blowfish $2y$ for bcrypt is supported by PHP since 5.3.7 (see changelog at http://php.net/manual/en/function.crypt.php) A patch is attached that adds this functionality.

Comments

 [2016-07-25 00:20 UTC] maddes (Maddes Buecher)
 [2016-08-08 19:29 UTC] maddes (Maddes Buecher)
 [2016-08-08 19:42 UTC] maddes (Maddes Buecher)
The patch also... ...determines the password type from the prefix/salt in function verifyPasswd. This is necessary to verify a password which is not encrypted with the current encryption mode. Example_ you ask your users to change their passwords to convert them from SHA/MD5 to BCRYPT. ...use MD5 as default in Authbasic.php, as SHA is insecure and DES is not available on Windows.
 [2017-05-26 17:46 UTC] ashnazg (Chuck Burgess)
-Type: Bug +Type: Feature/Change Request