With passwords for HTTP[S], normally they are stored entirely in plaintext. So, no. Probably the Apache Foundation will wipe all the passwords and require a total reset of brutus.apache.org
I'm an idiot. They were stored in SHA-512 hashes, since they were passwords for JIRA, but the likelihood of the passwords breaking on a dictionary attack is apparently high.
And they also logged passwords with a fake login page, so protections like that are pretty much void...
So, meh... It's my fault for not reading the article... When will I learn?:P
People who still use http's basic auth need to be slapped. There's little reason not to use digest.
That said, only.htpasswd seems to ever be cleartext. If you save them in a database (and anything as "large" as JIRA would do so) then they are usually hashed at least. Why unsalted, I don't know.
If you use digest auth, you must store the passwords in either clear text or at least with a reversible cipher. You can calculate the digest using a hash, but then the hash itself becomes the clear text password which makes little sense.
With digest your trading secrecy on the backend for secrecy on the wire. TLS + basic is superior IMO.
Naturally, the passwords were not in clear (Score:1)
The passwords were stored as hashes (message-digest or otherwise) with randomized salt, right? I mean, they have a clue about security, surely.
Right?
Re: (Score:0)
Re: (Score:0)
I'm an idiot. They were stored in SHA-512 hashes, since they were passwords for JIRA, but the likelihood of the passwords breaking on a dictionary attack is apparently high.
And they also logged passwords with a fake login page, so protections like that are pretty much void...
So, meh... It's my fault for not reading the article... When will I learn? :P
Re: (Score:2)
People who still use http's basic auth need to be slapped. There's little reason not to use digest.
That said, only .htpasswd seems to ever be cleartext. If you save them in a database (and anything as "large" as JIRA would do so) then they are usually hashed at least. Why unsalted, I don't know.
Re: (Score:1)
Re:Naturally, the passwords were not in clear (Score:2)
TLS + anything is superior in everything but CPU usage.
I personally think the web would be a better place if TLS (or at least SSL) was "standard" (ie, used in place of regular HTTP)