wigwam generated basic salted password secure?

18 May 2017, 22:34
Hi Hugo,

When I want to use authentication for the wepages access, I use Hiawatha v10.5 (yes, I should upgrade).
My passwords for protection on directories I generate passwords with wigwam -b .... These are stored in .htpassword files.
And I believe Hiawatha is secure, so my .htpassword is not retrievable by default.

But suppose I made a wrong configuration, and the file was downloaded in some way, can this file be decrypted with brute force effort in a small time frame?

Looking in your sourcefiles I notice MD5 references.
For basic, crypt is being used with MD5 hashing
For digest, mbedtls_md5 is being used.

Reading the FAQ at, I could be doubting about security because of the MD5 mentioning in your code.
So could this be a security issue? (I presume not, but asking is better )

Thanks in advance,
Hugo Leisink
19 May 2017, 19:09
A brute force attack is always possible, but how fast depends on how strong your passwords are. My advice: change the passwords as soon as possible. Another advice: never place passwords file within the website root directory. The choice for MD5 is not mine, it's defined in the HTTP authentication standard.
This topic has been closed.