I have MD5 hashes of passwords in a database that I want to use against HTTP AUTH DIGEST. But in reading the docs, it looks like the digest hash contains a hash of the username,realm and plaintext password. Is there any way to use the MD5 hash of the password in this situation?
Can I use an already MD5 encoded password in Digest Authentication
Asked Answered
No. If the hash they need is generated like so:
MD5(username + realm + password)
You are out of luck.
If they are hashing the password like so:
MD5(MD5(password) + username + realm)
You'd be able to do that with just the hashed password. But it doesn't sound like that's what's going on.
No, you have to store in the tables the HA1 hash of Digest and use that for other types of auth (forms and Basic). See here: Storing password in tables and Digest authentication
This should be accepted as the best answer. You CAN and SHOULD store a hashed version of the password (as opposed to plain-text). But you must hash it along with the username and realm as noted in this answer. –
Thaothapa
No, this is not possible. The whole point of digest authentication is to avoid replay attacks, i.e. were somebody has only a hashed version (of some authentication data) rather than the real data.
Not only is it a hash of username, real, and plaintext password, but also a nonce, which will change every time. So you really need the plaintext password.
No. In digest authentication, the password is hashed with a challenge, there is no way to make it work with another hash.
Basic auth over HTTPS is more secure and it should work with your hashed password.
© 2022 - 2024 — McMap. All rights reserved.