| Subject: | Htpasswd always calls crypt with the same salt |
After creating a few entries with Apache::Htpasswd I noticed, that all the entries had the same salt.
The error looks to be on line 382 in function CryptPasswd where it tries to generate a salt for the crypt function:
($salt = substr ($0, 0, 2)) =~ tr/:/C/;
As far as I understand this takes the first two letters of the path of the script running (replacing any :s with Cs). As the script location fairly constant, this will result in a very constant salt.
As the functions for manipulating the password file don't allow supplying a custom salt for the hashing function, I consider this a major error.
Following is an example on how to create a random salt for the crypt function:
my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
my $salt = join '', @alphabet[rand 64, rand 64];