Can I use an already encoded MD5 password in digest authentication

Question

Can I use an already encoded MD5 password in digest authentication

I have MD5 hashes of passwords in a database that I want to use against HTTP AUTH DIGEST. But while reading the documents, it looks like the hash hash contains the hash of the username, kingdom, and plaintext password. Is there a way to use the MD5 password hash in this situation?

+6

passwords hash md5 digest-authentication

Aug 10 '09 at 21:22

source share

4 answers

Spencer ruport · Answer 1 · 2009-08-10T21:24:38+0000

Not. If the hash they need is generated like this:

MD5 (username + kingdom + password)

You were unlucky.

If they hashed the password as follows:

MD5 (MD5 (password) + username + realm)

You can only do this with a hashed password. But this is not like what is happening.

Remus Rusanu · Answer 2 · 2009-08-10T21:24:52+0000

No, you have to store the Digest HA1 hash in the tables and use it for other auth types (forms and Basic). See Here: Storing Password in Tables and Digest Verification

Martin v. · Answer 3 · 2009-08-10T21:25:48+0000

No, It is Immpossible. The whole point of digest authentication is to avoid repeated attacks, i.e. Someone only has a hashed version (some authentication data), not real data.

This is not only a hash of the username, real and unencrypted password, but also nonce, which will change every time. So you really need a plaintext password.

Zz coder · Answer 4 · 2009-08-10T21:27:30+0000

Not. In digest authentication, the password is hashed with a call; there is no way to make it work with another hash.

Basic auth over HTTPS is more secure and should work with your hashed password.

Can I use an already encoded MD5 password in digest authentication

More articles: