A web service user wanting to access user-private data (tags, ratings, collections) may authenticate via HTTP Digest or via OAuth. Having the former option affects account security negatively, in two ways:
- Clients need to know the password.
- In order to support HTTP Digest auth, the server is forced to store the ha1 value, which is essentially an MD5 hash of the password (with the user name as “salt”). MD5 is mostly broken – hashes can be calculated very quickly on modern computers (GPUs in particular), and there is a fast chosen-prefix collision attack rendering the “salt” mostly useless. Consequently, storing ha1 is almost as bad as storing plaintext passwords today.
We should therefore deprecate the HTTP Digest auth method for the web service and remove it at a flag day in the (not too distant) future; clients should use OAuth instead. After that, the ha1 value can be removed from the database.