MD5 is a mathematical formula that is supposed to have a very small probability of giving duplicate strings for different inputs. Using the password the user types in, the browser would create a string using the password and other information including the AuthRealm, and pass it through MD5. This string is then passed over the net to the server, which takes the information stored in the .htpasswd file to create the same string and pass it through MD5, and then compare the results. This way, it is nearly impossible to get the password out of the information sent across because the password isn't sent across.
Sounds to good to be true? Well, there is a hitch. While its safer to use across the network, it is more difficult to make safer on the local machine. Under Basic auth, the passwords are passed through crypt() and stored. crypt() is a one way function, and the passwords can be viewed with little chance of being compromised (assuming the passwords are fairly unlikely to be guessed, since the only way to compromise them is the try crypt()'ing strings and comparing to the result). Under MD5, we need the information stored in the .htpasswd file, so we can't use a one way crypt() on it. Although we use MD5 on the password before storing it, if you have the stored code, and a little knowledge, you can create a browser to use it instead of the password, and it would work.
The solution is to enforce the unix file permissions. Most servers these days run under an unprivileged user and group, and in order for anything to be viewable to the server, they have to be world readable. The best fix, on platforms which support it, is to set the group on all of the directories (and files in them) to a group which the server is in, and the users are not. Then, set the group id bit on the directories (chmod g+s). This should make it so that every file created in the directory is grouped in that group. Make everything rw for user and r for group, and you should be on your way. We're hoping that this beta testing will help us write a more informative guide to doing this.
AuthDigestFile /u/Web/.htdigest standard
AuthType Digest
The AuthDigestFile is a new directive that takes two arguments, the full pathname of the file in which the digest authentication data is stored in, and the file format (usually standard, as opposed to dbm format).
To indicate that a directory is protected with MD5, you specify an AuthType of Digest, as shown above.