only insecure htpasswd passwords supported

[poelzi]

htpasswd files like generated from apache is not properly supported.
The format is:

test:{SHA}Or7xoUzOzSDWzoksvgQq5tdJRsg=

{SHA} is the hashing algorithmus used, can be MD5, SHA, without, the CRYPT function is used.

htpasswd --help
....
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 17).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).

Currently, the server uses verify() which does not properly detect anything but crypt, rendering the file unsecure.

[poelzi]

Maybe change to: https://github.com/aQaTL/htpasswd-verify

[norpol]

I'm using Apache 2.4 with htpasswd -nbB user pass which is generating $2y$05$ which is according to Apache docs bcrypt. I think the issue can be closed.