From: Jim Jagielski <jim@apache.org>
Date: Wed, 25 Jul 2012 11:38:19 +0000 (+0000)
Subject:    * htpasswd: Note more prominently that SHA and crypt are insecure.
X-Git-Tag: 2.4.3~181
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0282d1c0daf07b2b9780339f0f4ecb9d20613c57;p=apache

   * htpasswd: Note more prominently that SHA and crypt are insecure.
        trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1352910
        2.4.x patch: trunk patch works
        +1: rjung, humbedooh, jim



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1365528 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 6d4e7dfbbd..bb9a751d02 100644
--- a/STATUS
+++ b/STATUS
@@ -110,12 +110,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      +1: rjung, jorton, jim
      rjung: sf: you applied it to trunk, care to vote?
 
-   * htpasswd: Note more prominently that SHA and crypt are insecure.
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1352910
-     2.4.x patch: trunk patch works
-     +1: rjung, humbedooh, jim
-     rjung: sf: you applied it to trunk, care to vote?
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml
index f08caf37c7..b254e141d4 100644
--- a/docs/manual/programs/htpasswd.xml
+++ b/docs/manual/programs/htpasswd.xml
@@ -108,11 +108,13 @@ distribution.</seealso>
     <dt><code>-d</code></dt>
     <dd>Use <code>crypt()</code> encryption for passwords. This is not
     supported by the <program>httpd</program> server on Windows and
-    Netware.</dd>
+    Netware. This algorithm limits the password length to 8 characters.
+    This algorithm is <strong>insecure</strong> by today's standards.</dd>
 
     <dt><code>-s</code></dt>
     <dd>Use SHA encryption for passwords. Facilitates migration from/to Netscape
-    servers using the LDAP Directory Interchange Format (ldif).</dd>
+    servers using the LDAP Directory Interchange Format (ldif).
+    This algorithm is <strong>insecure</strong> by today's standards.</dd>
 
     <dt><code>-p</code></dt>
     <dd>Use plaintext passwords. Though <code>htpasswd</code> will support
@@ -200,6 +202,9 @@ distribution.</seealso>
     there is only one encrypted representation. The <code>crypt()</code> and
     MD5 formats permute the representation by prepending a random salt string,
     to make dictionary attacks against the passwords more difficult.</p>
+
+    <p>The SHA and <code>crypt()</code> formats are insecure by today's
+    standards.</p>
 </section>
 
 <section id="restrictions"><title>Restrictions</title>
diff --git a/support/htpasswd.c b/support/htpasswd.c
index 16e55a0630..993ce625e3 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -283,9 +283,10 @@ static void usage(void)
         " (default)"
         "." NL);
     apr_file_printf(errfile, " -d  Force CRYPT encryption of the password"
-            "." NL);
+            " (8 chars max, insecure)." NL);
     apr_file_printf(errfile, " -p  Do not encrypt the password (plaintext)." NL);
-    apr_file_printf(errfile, " -s  Force SHA encryption of the password." NL);
+    apr_file_printf(errfile, " -s  Force SHA encryption of the password"
+            " (insecure)." NL);
     apr_file_printf(errfile, " -b  Use the password from the command line "
             "rather than prompting for it." NL);
     apr_file_printf(errfile, " -D  Delete the specified user." NL);