On a Server I like to switch from Apache auth_basic to auth_digest for security reasons.
Is there a way to convert the old .htpasswd file to the htdigest format?
Asked
Active
Viewed 3,691 times
5
Dilip Manek
- 9,095
- 5
- 44
- 56
pixelsucht
- 228
- 2
- 8
1 Answers
4
The htpasswd program usually creates encrypted passwords. If you used MD5, SHA1, bcrypt or crypt for encrypting passwords, you almost can’t recover the original data. These cryptographic functions are called one-way: you can create a hash but you can’t restore the original value. It’s the main purpose of the one-way functions.
As I know, in the HTTP Digest algorithm, RFC2617, introduced so called realm, some [unique] string for a challenge. This information is used for hashing passwords. It’s not possible to reuse a file with passwords because, for the Basic Authentication, these passwords were hashed without the realm information.
Try to ask your users to change their passwords after the first authentication.
-
Thank you. As far as I know the passwords in htdigest are in md5 also. So my thought was to simply copy the md5 hashes from htpasswd to the htdigest passwd file. – pixelsucht Feb 16 '13 at 15:52
-
@rechengehirn I added a note. – Feb 16 '13 at 16:33
-
md5, especially unsalted is not a "one-way" only nowadays. SHA1 isn't doing that much better, only bcrypt does well as it's salted correctly etc etc. – Wernight Jul 18 '13 at 16:15