| 8:05 pm on Nov 19, 2003 (gmt 0)|
They could decrypt or add their own entries :P Replace, delete and whatnot. Once into a account they have more access to compromise the system as a whole instead of one account.
Audit your own passwords. Even without access to a account users can be auditing your passwords for you, there are enough applications out there the brute force attack to find working accounts.
| 8:09 pm on Nov 19, 2003 (gmt 0)|
I guess the un-deletable answer is:
| 8:28 pm on Nov 19, 2003 (gmt 0)|
Yes, if the file is accessable it can be cracked. Most people dont choose hard passwords so cracking could be done in a short period of time with poor passwords.
| 8:38 pm on Nov 19, 2003 (gmt 0)|
|they decrypt the .htaccess/.htpasswd files? |
Just to clear things up on the subject of .htpasswd; remember that you cannot "decrypt" entries in .htpasswd since they are only one-way hash values, not encrypted passwords.
Instead; as EliteWeb is referring to, "hackers" (or more correctly "crackers") perform a dictionary attack on entries in .htpasswd by comparing the hashed values of thousands of known passwords with those in your .htpasswd file.
| 8:58 pm on Nov 19, 2003 (gmt 0)|
To clarify I never did say a hacker or a cracker I was talking about someone who gained access :P If talking about cracking files the person would be refered to as a cracker.
Mmmm Makes me wonder, if you gain entry to a system your a hacker. But when you crack passwords is your hacker title removed or do you become a hacker/cracker? ;)
| 9:00 pm on Nov 19, 2003 (gmt 0)|
|do you become a hacker/cracker? |
Most of the time I become root.
| 2:59 pm on Nov 20, 2003 (gmt 0)|
>>>Just to clear things up on the subject of .htpasswd; remember that you cannot "decrypt" entries in .htpasswd since they are only one-way hash values, not encrypted passwords.
this is the answers I was looking for, thanks everybody!
| 3:14 pm on Nov 20, 2003 (gmt 0)|
Maybe I'm missing the point, but what are you trying to protect? A .htaccess file will only protect files accessed via HTTP. An example: on a shared UNIX/Linux/FreeBSD server (used by many sites), all the users tend to belong to the same group. By default, directories are created with the permissions set as 755, and regular files as 644. This means that anyone with shell access (as a regular user, not root) to that server will be able to read all your files, including those "protected" by your .htaccess. They would have no need to decrypt your .htpasswd file. Unless you're on a fully dedicated server, you should set the directory permissions as 701 and regular files as 604, so that the group does not have read access.
(Note I'm not a UNIX guru, so I may not have explained this well.)