HTTP Digest Auth is susceptible to offline brute force attacks

[tibbe]

Since HTTP Digest Auth uses MD5 to hash passwords it's feasible to brute-force the password database if it ever gets compromised. Current best-practice is to use a purposely slow hashing algorithm e.g. by using bcrypt.

[dcoutts]

Would it work for us to use an extra hashing round for the stored passwords and still use http digest auth? As far as I can see that'd work. Am I missing anything?

[gracenotes]

All the user sends is a hash, which requires us to concatenate md5(username:realm:password) with other request-specific things to reconstruct.

[dcoutts]

Mmm, yes I see. (see checkDigestAuthInfo)