The passwords have to be stored in plaintext, because otherwise you lock-in a single auth method (you would have to store the MD5 hash of the password for digest auth). This has various problems:
1) The stored password can only be used for digest auth or plaintext auth. No other auth schemes that might be developed in the future can be used.
2) MD5 is broken and so storing using an MD5 hash is only a marginal improvement over storing in plaintext.
|