Welcome to WebmasterWorld Guest from 54.146.240.181

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

htaccess letting me in with wrong password?

     

migthegreek

12:24 pm on Nov 5, 2010 (gmt 0)

5+ Year Member



I have an htaccess password on a site, and it works fine but I can get into the site using anything I like as long as the first 8 characters are the same as the set password.

e.g. If my password is 'password123'

It will let me in using any of the following:

password4938067
password!
passwordBLKUADH

It always works, as long as the first 8 characters are correct. Anything else is ignored. Could this be the result of a poor encryption tool I used for the htpassword entry or something?

I used [4webhelp.net ]

My htaccess password block is as follows:

AuthType Basic
AuthName "Website"
AuthUserFile /var/www/websites/.htpasswd
Require user testuser

lammert

1:30 pm on Nov 5, 2010 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



It depends on the encryption type you use to create the password hash in the .htpasswd file. Default the crypt() function is used which was the default *nix encryption method for passwords. That encryption method is limited to the first eight characters as you already noticed. You can use SHA encryption by adding the -s parameter to the htpasswd utility if you create the passwords from a *nix command line. SHA hashes are not limited to the first eight characters of a supplied password.

migthegreek

2:00 pm on Nov 5, 2010 (gmt 0)

5+ Year Member



Right, thanks.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month