#382 closed enhancement (wontfix)
RFE - Support for bcrypt hashes
| Reported by: | Gianluca Varisco | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.3.x |
| Keywords: | Cc: | ||
| uname -a: | |||
| nginx -V: | latest? | ||
Description
Hi everybody.
I'd like to use bcrypt hashes for nginx auth. Is there any plan to support/implement it? According to your official Wiki there's a 3rd party patch for 1.3.14 available at https://gist.github.com/z38/5227024
Apache httpd 2.4.x has implemented it - httpd.apache.org/docs/current/programs/htpasswd.html
Considered the security discussions around SHA schema, would be possible to have this patch merged?
Change History (2)
comment:1 by , 11 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 9 years ago
$apr1$ is md5 slowed down a 1000 times. Thats *not* very secure by todays standard.
I guess you might want to consider reopening this ticket.
Note:
See TracTickets
for help on using tickets.
All crypt(3) algorithms supported in your OS are available for use in nginx. If you want to use an algorithm which provides extra security, it's a good idea to look into this direction. That is, if you want to use an algorithm - just use it, blowfish crypt algorithm is available on modern OSes.
From portability point of view, there is support for
$apr1$(aka Apache version of phk's md5 crypt algorithm) which is available on all platforms and believed to be sufficiently secure.As for the patch linked - it is certainly wrong, it tries to modify wrong code (unix one instead of os-independent one), and it also looks like it uses an old algorithm identifier (
$2a$instead of$2y$, see http://openwall.com/crypt/).