Digest password is the local authentication mechanism in Callimachus. It uses HTTP Digest Access Authentication, which never sends the user's password in cleartext. Unlike the other Cookie-based mechanisms available, which are vulnerable to session hijacking because they reuse the same token over and over, digest is based on a simple challenge-response paradigm, which passes a different token for every request and is the strongest mechanism provided for unencrypted HTTP requests.

The digest manager stores user names and a password digest in the configured User folder. Every password digest is salted with the configured Auth name. In some cases the Auth name may also be shown to user as part of a login prompt.