Ooops@feddit.orgPlease note that to use “bcrypt” for htpasswd_encryption you need the bcrypt python module installed. Some distributions of radicale (eg. some docker images) don’t have it.
It’s fairly safe to set it to “md5” instead. It does not mean plain MD5 (one iteration), it does several hundred rounds of MD5 plus a salt.
For the curious, the advantage of bcrypt over a single-iteration, fast hash like MD5 is that bcrypt lets you set the hashing effort, while MD5’s goal is to do it as fast as possible.
This becomes relevant when someone steals your password file and tries to brute force it by hashing a bunch of dictionary words and random strings (plus a bunch of salts) until something matches. A fast single-iteration hash like MD5 will let them do that much faster than a bcrypt hash set to a higher effort; it can mean the difference between finding a password in one week vs finding one in 100 years. That’s what the hundreds-of-iterations MD5 is trying to achieve, it’s a “poor man’s bcrypt”.
Nomad@infosec.pub 5 days ago
Don’t generate password files online,…
Cyber@feddit.uk 5 days ago
… because? … or, instead, do…?
Nomad@infosec.pub 5 days ago
Because if I wanted to harvest a bunch of passwords I would offer a online password generator.
Do use apache utils locally.
While you are right in general, you are creating a file with a <user>:<hased password> line. Have fun searching the world for where I might have actually used it.