curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: use 'first hash' instead of password to do digest auth

From: Nicolas Roeser via curl-library <>
Date: Wed, 22 May 2019 08:20:26 +0200

Hi Erik!

Erik Janssen wrote on 2019-05-21T16:13:18+00:00 via curl-library:
> Maybe this is not a curl question, and it is my lack of knowledge about storage of credentials getting in the way.

It is not really a curl question, I agree. Even though, I’ll try to give
you some advice.

> Reading made me realise that if I could store the username + password after first successful connection as "HA1", (thus: MD5(username:realm:password)), and reuse that value later on when the program runs again, then I can have reasonably secure storage of passwords in my application.

I disagree about the “secure” part.

> But libcurl would need to allow me obtaining that value, and passing HA1 later on instead of normal username+ password credentials, and of course authentication would have to be digest-only.
> Does this make sense? Or is there a better/more common way for secure password storage I have overlooked.

It is uncommon for application-level libraries to give you access to a
login information object in a form that is prepared for being sent over
the wire. MD5 is not a great hashing algorithm (anymore), too. I would
advise against storing credentials this way.

What is far more common (and more secure):

(1) Do not store user credentials at all. Which means: delegate that
task to a password manager, that’s its core competency.

(2) If you like to store credentials without connecting another system
that does so: store username and password, but do not pre-hash anything.
Instead, encrypt the data using a well-known, well-tested, strong
encryption algorithm. (Do not invent the crypto yourself.) Use a master
key/password and/or an external hardware token and/or another form of
strong authentication and key generation. You may need a KDF. And, well,
you are inventing a password manager then. 😉

Many applications do something like (2) in various forms. It depends on
what the security requirements are in the particular context.

I’d also recommend that you check sources in this subject area, like a
good book on computer security. Or try to search the web or Stack
Overflow about how to securely store passwords.

Have fun with your project!

Nicolas Roeser
kiz – Information Systems Department, Ulm University
Received on 2019-05-22