[3078] in WWW Security List Archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Any known holes in .htaccess/.htpasswd directory security?

daemon@ATHENA.MIT.EDU (Michael Brennen)
Wed Sep 25 19:43:34 1996

Date: Wed, 25 Sep 1996 16:20:40 -0500 (CDT)
From: Michael Brennen <mbrennen@fni.com>
To: Scotty Logan <scotty@zinc.oucs.ox.ac.uk>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199609251431.PAA03039@zinc.oucs.ox.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu

On Wed, 25 Sep 1996, Scotty Logan wrote:

> > The second is that 'htpasswd's are just uuencoded words (rather than
> > DES encrypted like ordinary passwords)., so they are fairly easy to
> > decrypt.
> 
> I   think  you'll find  that, at   least for   Apache, 'htpasswd's are
> encrypted just like real Unix  passwords  using the crypt()  function.
> While much   better than   uuencoding  they  are still  vulnerable  to
> programs like crack.

You are both right.  Passwords are encoded in the .htaccess with crypt(),
the standard password encryption routine.  However, when transferring the
keyed in password from the browser to the server, the p/w is uuencoded.

   -- Michael


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[3078] in WWW Security List Archive

Re: Any known holes in .htaccess/.htpasswd directory security?

daemon@ATHENA.MIT.EDU (Michael Brennen)Wed Sep 25 19:43:34 1996

daemon@ATHENA.MIT.EDU (Michael Brennen)
Wed Sep 25 19:43:34 1996