Forum
wigwam generated basic salted password secure?
Rene
18 May 2017, 22:34
Hi Hugo,
When I want to use authentication for the wepages access, I use Hiawatha v10.5 (yes, I should upgrade).
My passwords for protection on directories I generate passwords with wigwam -b .... These are stored in .htpassword files.
And I believe Hiawatha is secure, so my .htpassword is not retrievable by default.
But suppose I made a wrong configuration, and the file was downloaded in some way, can this file be decrypted with brute force effort in a small time frame?
Looking in your sourcefiles https://github.com/hsleisink/hiawatha/blob/master/src/wigwam.c I notice MD5 references.
For basic, crypt is being used with MD5 hashing
For digest, mbedtls_md5 is being used.
Reading the FAQ at https://crackstation.net/hashing-security.htm#faq, I could be doubting about security because of the MD5 mentioning in your code.
So could this be a security issue? (I presume not, but asking is better
)
Thanks in advance,
Rene
When I want to use authentication for the wepages access, I use Hiawatha v10.5 (yes, I should upgrade).
My passwords for protection on directories I generate passwords with wigwam -b .... These are stored in .htpassword files.
And I believe Hiawatha is secure, so my .htpassword is not retrievable by default.
But suppose I made a wrong configuration, and the file was downloaded in some way, can this file be decrypted with brute force effort in a small time frame?
Looking in your sourcefiles https://github.com/hsleisink/hiawatha/blob/master/src/wigwam.c I notice MD5 references.
For basic, crypt is being used with MD5 hashing
For digest, mbedtls_md5 is being used.
Reading the FAQ at https://crackstation.net/hashing-security.htm#faq, I could be doubting about security because of the MD5 mentioning in your code.
So could this be a security issue? (I presume not, but asking is better
)Thanks in advance,
Rene
Hugo Leisink
19 May 2017, 19:09
A brute force attack is always possible, but how fast depends on how strong your passwords are. My advice: change the passwords as soon as possible. Another advice: never place passwords file within the website root directory. The choice for MD5 is not mine, it's defined in the HTTP authentication standard.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
