HTTP Authentication with hash H(A1) to avoid storing password in flash memory.

[overtone1000]

Basic Infos

• This issue complies with the issue POLICY doc.
• I have read the documentation at readthedocs and the issue is not addressed there.
• I have tested that the issue is present in current master branch (aka latest git).
• I have searched the issue tracker for a similar issue.
• If there is a stack dump, I have decoded it.
• I have filled out all fields below.

Platform

• Core Version: [cdb5495]

Other Pertinent Issues/PRs

• have only found one issue (Support for user provided MD5 credentials for ESP8266WebServer authentication #4392) that asked a related question about digest authentication, but this was closed as the question was about the security of the transmission, not about its storage. This issue was quickly closed.
• I have found two pull requests (Add getUserPasswordHash() and auth using hash #3328 and HTTP Client method for specifying whole authorization data #4404) that address a similar issue with basic authentication.

Description

This is a feature request.

RFC 2617 4.13 discusses storing credentials as the username and H(A1) rather than the username and password, but this isn't possible with the current implementation of Digest authentication in the ESP8266WebServer class because the authenticate function takes username and password as arguments.

I've implemented this feature in PR #6020, but my primary reason for creating this issue is to facilitate discussion as suggested in the documents. The primary question I have is whether this proposed feature offers such a small benefit in security that it isn't even worth the trouble.

Thanks for your time.

[earlephilhower]

Closing as #6020 is now merged.