Open tibbe opened 11 years ago
Would it work for us to use an extra hashing round for the stored passwords and still use http digest auth? As far as I can see that'd work. Am I missing anything?
All the user sends is a hash, which requires us to concatenate md5(username:realm:password) with other request-specific things to reconstruct.
Mmm, yes I see. (see checkDigestAuthInfo)
Since HTTP Digest Auth uses MD5 to hash passwords it's feasible to brute-force the password database if it ever gets compromised. Current best-practice is to use a purposely slow hashing algorithm e.g. by using bcrypt.