homepage Welcome to WebmasterWorld Guest from 54.167.138.53
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
If server is broken, can they roam my .htaccess passwords?
Schoolbag

10+ Year Member



 
Msg#: 3936 posted 7:49 pm on Nov 19, 2003 (gmt 0)

Completely hypothetical question:

A hacker breaks into a server, now that they have access to roam around in your directories could they decrypt the .htaccess/.htpasswd files?

thanks!

 

EliteWeb

WebmasterWorld Senior Member eliteweb us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3936 posted 8:05 pm on Nov 19, 2003 (gmt 0)

They could decrypt or add their own entries :P Replace, delete and whatnot. Once into a account they have more access to compromise the system as a whole instead of one account.

Audit your own passwords. Even without access to a account users can be auditing your passwords for you, there are enough applications out there the brute force attack to find working accounts.

bcolflesh

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3936 posted 8:09 pm on Nov 19, 2003 (gmt 0)

I guess the un-deletable answer is:

yes ;)

EliteWeb

WebmasterWorld Senior Member eliteweb us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3936 posted 8:28 pm on Nov 19, 2003 (gmt 0)

Yes, if the file is accessable it can be cracked. Most people dont choose hard passwords so cracking could be done in a short period of time with poor passwords.

dmorison

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3936 posted 8:38 pm on Nov 19, 2003 (gmt 0)

they decrypt the .htaccess/.htpasswd files?

Just to clear things up on the subject of .htpasswd; remember that you cannot "decrypt" entries in .htpasswd since they are only one-way hash values, not encrypted passwords.

Instead; as EliteWeb is referring to, "hackers" (or more correctly "crackers") perform a dictionary attack on entries in .htpasswd by comparing the hashed values of thousands of known passwords with those in your .htpasswd file.

EliteWeb

WebmasterWorld Senior Member eliteweb us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3936 posted 8:58 pm on Nov 19, 2003 (gmt 0)

To clarify I never did say a hacker or a cracker I was talking about someone who gained access :P If talking about cracking files the person would be refered to as a cracker.

Mmmm Makes me wonder, if you gain entry to a system your a hacker. But when you crack passwords is your hacker title removed or do you become a hacker/cracker? ;)

bcolflesh

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3936 posted 9:00 pm on Nov 19, 2003 (gmt 0)

do you become a hacker/cracker?

Most of the time I become root.

;)

Schoolbag

10+ Year Member



 
Msg#: 3936 posted 2:59 pm on Nov 20, 2003 (gmt 0)

>>>Just to clear things up on the subject of .htpasswd; remember that you cannot "decrypt" entries in .htpasswd since they are only one-way hash values, not encrypted passwords.

this is the answers I was looking for, thanks everybody!

encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3936 posted 3:14 pm on Nov 20, 2003 (gmt 0)

Maybe I'm missing the point, but what are you trying to protect? A .htaccess file will only protect files accessed via HTTP. An example: on a shared UNIX/Linux/FreeBSD server (used by many sites), all the users tend to belong to the same group. By default, directories are created with the permissions set as 755, and regular files as 644. This means that anyone with shell access (as a regular user, not root) to that server will be able to read all your files, including those "protected" by your .htaccess. They would have no need to decrypt your .htpasswd file. Unless you're on a fully dedicated server, you should set the directory permissions as 701 and regular files as 604, so that the group does not have read access.

(Note I'm not a UNIX guru, so I may not have explained this well.)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved