Support for secure Apache compatible password encryption #9
Comments
|
yeah I agree, I can't believe its not done already. I can't believe cyrus-imap's auxprop mysql doesn't support ANY encryption at all and that I had to use pam_mysql just to get a CRYPT password. |
|
+1 |
|
Working on a patch to add salted SHA1, salted SHA256 and salted SHA512, with a salt length of 8 characters. Entries in the database could then look something like sha1$Sx8$Hx40, sha256$Sx8$Hx64, and sha512$Sx8$Hx128, where Sx8 is the salt, and Hx[40|64|128] is the hash itself. |
|
We have SHA256 and 512 now. Closing this report. |
|
@NigelCunningham would a PR to support salted SHA1, SHA256 and SHA512 be welcomed? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be very helpful to have at least one password encryption algorithm within pam-MySQL which is (very) secure and Apache compatible.
If I compare the password encryption algorithms between Apache (mod_authn_dbd)
plain text, MD5 (salted, Apache variant), SHA1 (not salted), CRYPT, bcrypt
and pam-MySQL
crypt (plain text), crypt, MD5 (not salted), SHA1 (not salted), Drupal7 (salted), use_323_passwd, MySQL
there are no high secure algorithms in common. SHA1 without salt seems to be the most secure algorithm for both, but SHA1 not very secure.
The text was updated successfully, but these errors were encountered: