dcoutts
commented
11 years ago Would it work for us to use an extra hashing round for the stored passwords and still use http digest auth? As far as I can see that'd work. Am I missing anything?
Open tibbe opened 11 years ago
dcoutts
commented
11 years ago Would it work for us to use an extra hashing round for the stored passwords and still use http digest auth? As far as I can see that'd work. Am I missing anything?
gracenotes
commented
11 years ago All the user sends is a hash, which requires us to concatenate md5(username:realm:password) with other request-specific things to reconstruct.
dcoutts
commented
11 years ago Mmm, yes I see. (see checkDigestAuthInfo)
Since HTTP Digest Auth uses MD5 to hash passwords it's feasible to brute-force the password database if it ever gets compromised. Current best-practice is to use a purposely slow hashing algorithm e.g. by using bcrypt.