how to use Oracle's dbms crypto to create htpasswd compatible passwords

Question

Is there any way to use Oracles DBMS_CRYPTO PL/SQL package to create passwords that are compatible with apache's htpasswd? So in a PL/SQL package I create a hashed password which when later stored in an .htpasswd file, will work fine.

We currently do this in unix with the command htpasswd -n -b -d. However, we would like to create them and save them in an Oracle table. Then retrieve them to create the .htpasswd files when needed.

Thanks!

Joe

Answer 1

The htpasswd tool is capable of generating a handful of hashed password types. You're using the -d flag, which uses the prehistoric crypt() hash format. crypt() hashes are amazingly insecure and deliciously easy to crack.

According to this manual page from Oracle 10g, the DBMS_CRYPTO package does not support crypt(). This isn't surprising.

You're going to need to switch to a different hashing algorithm in order to pull this off. The most straight-forward way would be the equivalent of using the -s flag instead of the -d flag to create SHA1 passwords. Try it out on the command line to see the results. The password format given is the literal string {SHA}, followed by the base64 encoded SHA1 hash, with no salting. The DBMS_CRYPTO package seems to support SHA1 and hints that there's a function to do base64 encoding as well. Or, if you're doing the .htpasswd file generation yourself, you can simply store the hash in whatever way you prefer and convert it on output using your language of choice.