Thread: Web Server Password Encryption
View Single Post
Old 04-26-2018, 10:01 PM   #2
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 45,434
Karma: 27757438
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
The passwords have to be stored in plaintext, because otherwise you lock-in a single auth method (you would have to store the MD5 hash of the password for digest auth). This has various problems:

1) The stored password can only be used for digest auth or plaintext auth. No other auth schemes that might be developed in the future can be used.
2) MD5 is broken and so storing using an MD5 hash is only a marginal improvement over storing in plaintext.
kovidgoyal is offline   Reply With Quote