Feature Proposal: Change the default encoding from crypt to apache-md5

Motivation

crypt is completely obsolete in that it truncates passwords to 8 characters. We've never changed the default because of the impact on existing passwords.

Now that the {Htpasswd}{AutoDetect} option is available, we have some more flexibility.

Description and Documentation

• Change the default encoding to apache-md5.
  • New sites will start out with a more secure encoding. Existing sites will remain on crypt, but with errors reported by configure
• Enable {Htpasswd}{AutoDetect} by default.
  • This avoids damage if an existing site "upgrades" by rebuilding LocalSite.cfg and fails to notice the changed default. The other option would be to have the checker force it to enabled when .htpasswd exists.
• Change the checker for {Htpasswd}{Encoding} to Error if crypt is chosen.
  • This is to more strongly encourage existing sites to change to stronger password hash.

Examples

New sites start out with apache_md5 encoding. {AutoDetect} will be enabled, but not really needed. Admin can disable it if they choose, but no warnings will be displayed to encourage it.

Existing Site on crypt upgrades Foswiki

• Depending upon the previous version, {AutoDetect} might be automatically enabled. (Upgrade from prior to 1.1.3 will get it enabled because it doesn't exist in the configuration).
• Configure will report an error recommending that {Htpasswd}{Encoding} be changed from crypt
• [Checker will also enable {AutoDetect} for safety purposes}

If the admin makes the change to something other than crypt, the passwords will be upgraded in the file over time as the users change passwords. It is up to the site whether or not they push users to change passwords.d

Existing site on crypt installs Foswiki new (eg. 1.0.x to 1.1.5)

• {Htpasswd}{Encoding} defaults to apache_md5 and {AutoDetect} defaults to enabled.
• Migration copies over existing .htpasswd.
• Old passwords will continue to work and will migrate to apache_md5 as users change passwords or register.

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: GeorgeClark - 12 Feb 2012

Discussion

The reason I've recommended that apache-md5 be the default and recommended encoding:

• It's salted
• It has wide compatibility
• It's CPAN requirements - Digest::MD5 - have been available in perl core since 5.7.3

-- GeorgeClark - 12 Feb 2012

and don't forget the important:

• its supported by apache

-- SvenDowideit - 12 Feb 2012

You don't mention how existing sites will manage upgrade. Is the assumption that they will remain on crypt?

-- CrawfordCurrie - 12 Feb 2012

George added a fantastical new feature, Tasks.Item10962 which means that Foswiki will auto-detect the password encoding of any .htpasswd entry, so we can switch the site to a new encoding without invalidating existing passwords.

My only concern is that {Htpasswd}{AutoDetect} is off by default (does it need to be?) - meaning users have to pull more levers to get any benefit

-- PaulHarvey - 12 Feb 2012

Crawford, my assumption is that we won't force a site to upgrade, but will more strongly encourage it by changing the message for crypt encoding from a warning to an error. I'm adding some notes above wrt/ upgrade procedure.

Paul, I also proposed changing the {AutoDetect} default as well. And/or possibly forcing it on in an initial checker if .htpasswd exists. I probably need to try that out a bit before settling on the actual checker results.

There really isn't a lot to this feature. The primary effect is to change the default for new sites to something more modern, rather than having our default installations "broken".

-- GeorgeClark - 12 Feb 2012

I should add that we've been using {AutoDetect} on the TRIN wiki for some months now, with no problems to report.

-- PaulHarvey - 12 Feb 2012