Responsive image

I run a few sub-directories on various different sites that use a Basic HTTP Auth that is commonly built into Apache and Nginx. I add users sparingly but when I do I like to store a hash of the password of their choosing rather than the password itself. This way I can sleep easier at night knowing I’m not holding their passwords in plain-text, and if they decide to use a password they commonly use I don’t have to worry as much about something happening to it.

A problem I often run into is trying to get a user to generate a password in a secure way without having them to have Apache installed or some other piece of software. Fortunately, most of the people that are accessing sites I’m running are using Linux. A while ago, I had reached out to some friends from an IRC channel I frequent on how to generate a secure password hash that would be recognized by Apache and that wouldn’t require a user to have Apache or Apache’s utilities installed. It isn’t really necessary to have Apache installed on your machine unless you are actually going to host a website.

The first one-liner we came up with was:

    echo -n "foobar" | sha1sum | cut -d' ' -f1 | xxd -r -p | base64

This does the job, and works.

However, there is a problem. If you run this multiple times, you’ll always get the same output. This means that the hash is static and doesn’t include a Salt. This can be problematic for several reasons, one of which is that if their password is short and easy to bruteforce somebody could reverse it.

This concern lead to us to come up with:

    USR="yourname";PWD="foobar";SALT="$(openssl rand -base64 3)";SHA1=$(printf "$PWD$SALT" | openssl dgst -binary -sha1 | sed 's#$#'"$SALT"'#' | base64); echo "$USR:{SSHA}$SHA1"

This improves upon the first one-liner by adding a salt. Though, both still aren’t ideal and should use SHA2 instead of the weaker SHA1 algorithm.

I wouldn’t recommend using a salted SHA1 password hash in a production environment considering that it would be safer to use a salted SHA2 password hash instead.

This was originally published on my Github Gist wall, here.

This posted was updated 2016-03-18.


comments powered by Disqus

~ About me ~
I am a human who enjoys writing code.
~ Follow me ~
~ GitHub Recent Activity ~

Status updating...

~ Interesting Links ~