Add random notes about possible weaknesses

author Martin Kraemer <martin@apache.org>

Mon, 31 Oct 2005 09:19:17 +0000 (09:19 +0000)

committer Martin Kraemer <martin@apache.org>

Mon, 31 Oct 2005 09:19:17 +0000 (09:19 +0000)
author Martin Kraemer <martin@apache.org>
Mon, 31 Oct 2005 09:19:17 +0000 (09:19 +0000)
committer Martin Kraemer <martin@apache.org>
Mon, 31 Oct 2005 09:19:17 +0000 (09:19 +0000)
diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml

index 294a1a02df63bc3ed166f590c76911bd467fa00a..97c631b175998a5fedfb4257d9bef00b52bcbdfc 100644 (file)
--- a/docs/manual/programs/htpasswd.xml
+++ b/docs/manual/programs/htpasswd.xml
@@ -190,6 +190,15 @@ distribution.</seealso>
  
      <p>The use of the <code>-b</code> option is discouraged, since when it is
      used the unencrypted password appears on the command line.</p>
+
+    <p>When using the <code>crypt()</code> algorithm, note that only the first
+    8 characters of the password are used  to form the password. If the supplied
+    password is longer, the extra characters will be silently discarded.</p>
+
+    <p>The SHA encryption format does not use salting: for a given password,
+    there is only one encrypted representation. The <code>crypt()</code> and
+    MD5 formats permute the representation by prepending a random salt string,
+    to make dictionary attacks against the passwords more difficult.</p>
  </section>
  
  <section id="restrictions"><title>Restrictions</title>
author	Martin Kraemer <martin@apache.org>
	Mon, 31 Oct 2005 09:19:17 +0000 (09:19 +0000)
committer	Martin Kraemer <martin@apache.org>
	Mon, 31 Oct 2005 09:19:17 +0000 (09:19 +0000)