Skip to content

HTTP Authentication with hash H(A1) to avoid storing password in flash memory. #6021

Closed
@overtone1000

Description

@overtone1000

Basic Infos

  • This issue complies with the issue POLICY doc.
  • I have read the documentation at readthedocs and the issue is not addressed there.
  • I have tested that the issue is present in current master branch (aka latest git).
  • I have searched the issue tracker for a similar issue.
  • If there is a stack dump, I have decoded it.
  • I have filled out all fields below.

Platform

Other Pertinent Issues/PRs

Description

This is a feature request.

RFC 2617 4.13 discusses storing credentials as the username and H(A1) rather than the username and password, but this isn't possible with the current implementation of Digest authentication in the ESP8266WebServer class because the authenticate function takes username and password as arguments.

I've implemented this feature in PR #6020, but my primary reason for creating this issue is to facilitate discussion as suggested in the documents. The primary question I have is whether this proposed feature offers such a small benefit in security that it isn't even worth the trouble.

Thanks for your time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions