It depends on the encryption type you use to create the password hash in the .htpasswd file. Default the crypt() function is used which was the default *nix encryption method for passwords. That encryption method is limited to the first eight characters as you already noticed. You can use SHA encryption by adding the -s parameter to the htpasswd utility if you create the passwords from a *nix command line. SHA hashes are not limited to the first eight characters of a supplied password.