剛剛發現 htpasswd (Apache 的 .htpasswd
檔案產生程式) 提供的 SHA-1 不會使用 salt,不過 MD5 格式會...
以密碼「test」測試:
gslin@colo-p [~] [17:44/W7] touch test.txt gslin@colo-p [~] [17:44/W7] htpasswd -b -m test.txt test1 test Adding password for user test1 gslin@colo-p [~] [17:44/W7] htpasswd -b -m test.txt test2 test Adding password for user test2 gslin@colo-p [~] [17:44/W7] htpasswd -b -s test.txt test3 test Adding password for user test3 gslin@colo-p [~] [17:44/W7] htpasswd -b -s test.txt test4 test Adding password for user test4
結果是:
test1:$apr1$GU6SyO0y$I.Ng9o4H8Tcje.M2A6ECb0 test2:$apr1$uqoX9b/x$7zGMAKqRjvoi6HHSKtaRO. test3:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M= test4:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
依照說明,htpasswd 使用的 SHA 是移植自 Netscape server 的 LDAP Directory Interchange Format (ldif):
Use SHA encryption for passwords. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif).
在安全疑慮 (Security Considerations) 上也有註明 htpasswd 使用的 SHA 是不帶 salt:
The SHA encryption format does not use salting: for a given password, there is only one encrypted representation.
現在密碼儲存應該是朝 bcrypt 與 PBKDF2 發展,參考依林姊姊的「請愛用 bcrypt 和 PBKDF2」,後者 PBKDF2 被用在 WPA2 上。