Re: [PATCH v2 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication
From: Jeff King <hidden>
Date: 2023-11-08 17:02:07
From: Jeff King <hidden>
Date: 2023-11-08 17:02:07
On Wed, Nov 08, 2023 at 03:57:23PM +0100, Patrick Steinhardt wrote:
Regenerate the passwd files to instead use the default password encryption schema, which is md5. While it feels kind of funny that an MD5-based encryption schema should be more secure than anything else, it is the current default and supported by all platforms. Furthermore, it really doesn't matter all that much given that these files are only used for testing purposes anyway.
Thanks for doing this. I died inside a little while adding the proxy-passwd one recently in 29ae2c9e74 (add basic http proxy tests, 2023-02-16). There I mused about moving to bcrypt in a separate patch, which I think is probably the least-bad option from a security perspective. But I agree that md5 is more likely to be available everywhere, and we certainly don't care about security here. -Peff