Forum

Any way to store the digest auth password in encrypted way?

Praseed
31 March 2010, 23:45


Hiawatha version: 6.14.1
Operating System: 2.6.18

Hi,

While configuring the digest authentication I noticed that the password file
format must be in <username>:<clear_text_password>.
The password file created with htdigest command didn't work too.
I'm worried to store the username & password in clear text on my webserver.
Isn't it compromising the security?
Is there any solution to avoid this??

Thanks
Praseed

Ref:
PasswordFile = ((basic|digest):<passwordfile>)|none[,<groupfile>]
For Digest HTTP authentication, the format of the passwordfile is:
<username>:<password>[:user defined fields: ...]
Hugo Leisink
1 April 2010, 00:04
It is true that digest authentication requires the passwords to be stored in plaintext on the server. This wasn't my idea, I didn't invent this method. Otherwise, I would have made it more secure.

The best way to avoid this insecurity, is to create your own authentication and store the passwords in hashed form in a database.
Praseed
1 April 2010, 00:16
OK, if I use a different authentication other than basic or digest., how do I incorporate that with Hiawatha?
Should I use redirect?
Hugo Leisink
1 April 2010, 08:35
If you want authentication for a website, build it into that website. If you want authentication for just a file share, you're stuck with basic or digest HTTP authentication.
Praseed
6 April 2010, 19:56
Came to know that Apache web server stores the digest password in encrypted way in hard disk (htdigest )..
I wish it was the same way in Hiawatha too
Hugo Leisink
6 April 2010, 22:10
I've changed digest HTTP authentication in Hiawatha in a way that the required password file are compatible with htdigest(1)'s output.
Praseed
6 April 2010, 22:39
Wow! that's great Hugo!
When is the next release going to happen?
Hugo Leisink
6 April 2010, 22:43
Not sure yet, I want to do some more testing on some new things (new Digest for example). You can download the 7.2 beta here [www.leisink.net]. Please, do not distribute this file. It's NOT an official release.
Praseed
6 April 2010, 23:07
Thank you!
This topic has been closed.