- Updated to apache 2.4
- Updated the htpasswd generation to use the more secure bcrypt algorithm
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This reverts commit eef9b2529c.
It appears that htpasswd is not salting any passwords that are
stored with the SHA (-s) algorithm. MD5 passwords however are
salted.
That leads us to the conclusion that the "MD5 algorithm" in htpasswd
is more secure than the "SHA algorithm" although the hash function
itself should be stronger.
With a rainbow table, cracking "SHA" is easily done.
A rainbow table for "MD5" + salt would be way too large to be
efficiently stored.
Hence this commit is reverted to old behaviour to avoid the clear
failure of design in SHA.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
htpasswd doesn't protect passwords very well. MD5 was used
before and now any newly created passwords will use the
SHA format.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
