APR (and thus htpasswd) currently only supports crypt(), MD5, and SHA1-based passwords. Moore's law and algorithmic improvements are increasingly making passwords stored in those hash functions vulnerable to cracking. It would be beneficial if there were stronger hash functions such as sha256/512, whirlpool, or pbkdf2 available for use.
I forgot to mention that any newer hashing function should support salting.
(In reply to comment #0) > APR (and thus htpasswd) currently only supports crypt(), MD5, and SHA1-based > passwords. Moore's law and algorithmic improvements are increasingly making > passwords stored in those hash functions vulnerable to cracking. > > It would be beneficial if there were stronger hash functions such as > sha256/512, whirlpool, or pbkdf2 available for use. Another option would be to call the system crypt() function and leverage any capabilities it has with stronger hashes. So for the ALG_CRYPT case in htpasswd.c's mkrecord(), instead of just calling rand() to generate the salt, one would call generate_salt() and preprend "$2a$", "$5$", or "$6$" to it so that the system starts using a different algorithm. This may not work on all platforms (e.g., Solaris 8, AIX 5L), but for any Unix revision released in the last ten years it should be okay.
apr-util 1.5.x will add bcrypt support
apr-util 1.5.1 has been released Support for htpasswd has been added in trunk in r1395255