| htaccess letting me in with wrong password?
|
migthegreek
msg:4227048 | 12:24 pm on Nov 5, 2010 (gmt 0) |
I have an htaccess password on a site, and it works fine but I can get into the site using anything I like as long as the first 8 characters are the same as the set password.
e.g. If my password is 'password123'
It will let me in using any of the following:
password4938067
password!
passwordBLKUADH
It always works, as long as the first 8 characters are correct. Anything else is ignored. Could this be the result of a poor encryption tool I used for the htpassword entry or something?
I used [4webhelp.net ]
My htaccess password block is as follows:
AuthType Basic
AuthName "Website"
AuthUserFile /var/www/websites/.htpasswd
Require user testuser
|
lammert
msg:4227070 | 1:30 pm on Nov 5, 2010 (gmt 0) |
It depends on the encryption type you use to create the password hash in the .htpasswd file. Default the crypt() function is used which was the default *nix encryption method for passwords. That encryption method is limited to the first eight characters as you already noticed. You can use SHA encryption by adding the -s parameter to the htpasswd utility if you create the passwords from a *nix command line. SHA hashes are not limited to the first eight characters of a supplied password.
|
migthegreek
msg:4227092 | 2:00 pm on Nov 5, 2010 (gmt 0) |
Right, thanks.
|
|
|
