Lighttpd

I've been trying to use bcrypt with lighttpd's htpasswd support in mod_auth. Current versions of these look like this:

$2a$09$mnKs1iO4h3egPBIROOwvh.Xax70l3rFhvr4evXxJRFQMUziX/A82i

2a is the variant version; other ones currently used are 2x and 2y. 2 is long defunct.

09 is the log of the number of rounds.

The password AND salt are included in the final characters.

To compare a password you pass the entire hashed string to crypt() along with the user-supplied password, then compare the returned value against the stored value in the htpasswd file. This same method also works, at least in glibc and OpenBSD, for MD5 and for old-style crypted passwords; there is no need to split off the salt.

Diff attached.