Welcome to WebmasterWorld Guest from 54.163.129.96

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

htaccess letting me in with wrong password?

     
12:24 pm on Nov 5, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Dec 2, 2008
posts:64
votes: 0


I have an htaccess password on a site, and it works fine but I can get into the site using anything I like as long as the first 8 characters are the same as the set password.

e.g. If my password is 'password123'

It will let me in using any of the following:

password4938067
password!
passwordBLKUADH

It always works, as long as the first 8 characters are correct. Anything else is ignored. Could this be the result of a poor encryption tool I used for the htpassword entry or something?

I used [4webhelp.net ]

My htaccess password block is as follows:

AuthType Basic
AuthName "Website"
AuthUserFile /var/www/websites/.htpasswd
Require user testuser
1:30 pm on Nov 5, 2010 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2923
votes: 20


It depends on the encryption type you use to create the password hash in the .htpasswd file. Default the crypt() function is used which was the default *nix encryption method for passwords. That encryption method is limited to the first eight characters as you already noticed. You can use SHA encryption by adding the -s parameter to the htpasswd utility if you create the passwords from a *nix command line. SHA hashes are not limited to the first eight characters of a supplied password.
2:00 pm on Nov 5, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Dec 2, 2008
posts:64
votes: 0


Right, thanks.