.htpasswd

Last updated April 19, 2024

.htpasswd is a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server. The name of the file is given in the .htaccess configuration, and can be anything, although ".htpasswd" is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with a dot to be hidden.^[1] The htpasswd command is used to manage .htpasswd file entries.^[2]

History

htpasswd was first added in the NCSA HTTPd server,^[3] which is the predecessor to Apache.^[4] The hash historically used "UNIX crypt" style with MD5 or SHA1 as common alternatives.^[5] In Apache 2.4, the bcrypt algorithm was added.^[6]

Usage

The file consists of lines, with each line containing a username, followed by a colon, followed by a string containing the hashed password optionally prepended by an algorithm specifier ("$2y$", "$apr1$" or "{SHA}") and/or salt.^[6]^[7]

Athelstan:RLjXiyxx56D9s Mama:RLMzFazUFPVRE Papa:RL8wKTlBoVLKk

Resources available from the Apache HTTP Server can be restricted to just the users listed in the files created by htpasswd. The .htpasswd file can be used to protect the entire directory it is placed in, as well as particular files.^[8]

Security issues

The only algorithm accepted by htpasswd that is still considered secure by today's standards is bcrypt,^[9] and many formats do not use salting making it vulnerable to dictionary attacks. The crypt() algorithm only uses the first 8 characters of any given password, discarding any past that.^[5]

Related Research Articles

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

The Network Information Service, or NIS, is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.

A home directory is a file system directory on a multi-user operating system containing files for a given user of the system. The specifics of the home directory are defined by the operating system involved; for example, Linux / BSD (FHS) systems use /home/⟨username⟩ or /usr/home/⟨username⟩ and Windows systems since Windows Vista use \Users\⟨username⟩.

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

An .htaccess file is a directory-level configuration file supported by several web servers, used for configuration of website-access issues, such as URL redirection, URL shortening, access control, and more. The 'dot' before the file name makes it a hidden file in Unix-based environments.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking, and key stretching is intended to make such attacks more difficult by complicating a basic step of trying a single password candidate. Key stretching also improves security in some real-world applications where the key length has been constrained, by mimicking a longer key length from the perspective of a brute-force attacker.

For computer log management, the Common Log Format, also known as the NCSA Common log format, is a standardized text file format used by web servers when generating server log files. Because the format is standardized, the files can be readily analyzed by a variety of web analysis programs, for example Webalizer and Analog.

CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999. CrushFTP is shareware with a tiered pricing model. It is targeted at home users on up to enterprise users.

When an HTTP client requests a URL that points to a directory structure instead of an actual web page within the directory structure, the web server will generally serve a default page, which is often referred to as a main or "index" page.

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

In cryptography, scrypt is a password-based key derivation function created by Colin Percival in March 2009, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly to perform large-scale custom hardware attacks by requiring large amounts of memory. In 2016, the scrypt algorithm was published by IETF as RFC 7914. A simplified version of scrypt is used as a proof-of-work scheme by a number of cryptocurrencies, first implemented by an anonymous programmer called ArtForz in Tenebrix and followed by Fairbrix and Litecoin soon after.

ProFTPD is an FTP server. ProFTPD is Free and open-source software, compatible with Unix-like systems and Microsoft Windows . Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in Unix-like environments today. Compared to those, which focus e.g. on simplicity, speed or security, ProFTPD's primary design goal is to be a highly feature rich FTP server, exposing a large amount of configuration options to the user.

crypt is a POSIX C library function. It is typically used to compute the hash of user account passwords. The function outputs a text string which also encodes the salt, and identifies the hash algorithm used. This output string forms a password record, which is usually stored in a text file.

In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL), it can be used for password-based logins to services like LDAP, HTTP, SMTP, POP3, IMAP and JMAP (e-mail), XMPP (chat), or MongoDB and PostgreSQL (databases). For XMPP, supporting it is mandatory.

References

↑ "Understanding Hidden Files and Folders in Your Home Directory – TecAdmin". 2023-05-15. Retrieved 2024-02-08.
↑ David, Jackson (July 30, 2023). "Mastering Htpasswd Command in Linux". Linux TLDR.
↑ "NCSA httpd AuthUserFile". www6.uniovi.es. Retrieved 2024-02-08.
↑ "About the Apache HTTP Server Project - The Apache HTTP Server Project". httpd.apache.org. Retrieved 2024-02-08.
1 2 "htpasswd - Manage user files for basic authentication" . Retrieved 2013-11-30.
1 2 "Password Formats - Apache HTTP Server Version 2.4". Apache. Retrieved 2024-02-08.
↑ "HTTP authentication - HTTP | MDN". developer.mozilla.org. 2023-12-20. Retrieved 2024-02-08.
↑ Services, Chameleon Web (2014-03-24). "Password Protect File or Folder using .htaccess | Chameleon Web Services" . Retrieved 2024-02-08.
↑ "htpasswd file generator". aspirine.org. Retrieved 2024-02-08.

External links

Apache: htpasswd - Manage user files for basic authentication

This World Wide Web–related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Understanding Hidden Files and Folders in Your Home Directory – TecAdmin". 2023-05-15. Retrieved 2024-02-08.

[2] David, Jackson (July 30, 2023). "Mastering Htpasswd Command in Linux". Linux TLDR.

[3] "NCSA httpd AuthUserFile". www6.uniovi.es. Retrieved 2024-02-08.

[4] "About the Apache HTTP Server Project - The Apache HTTP Server Project". httpd.apache.org. Retrieved 2024-02-08.

[httpd-apaache-docs-5] 1 2 "htpasswd - Manage user files for basic authentication" . Retrieved 2013-11-30.

[:0-6] 1 2 "Password Formats - Apache HTTP Server Version 2.4". Apache. Retrieved 2024-02-08.

[7] "HTTP authentication - HTTP | MDN". developer.mozilla.org. 2023-12-20. Retrieved 2024-02-08.

[8] Services, Chameleon Web (2014-03-24). "Password Protect File or Folder using .htaccess | Chameleon Web Services" . Retrieved 2024-02-08.

[9] "htpasswd file generator". aspirine.org. Retrieved 2024-02-08.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]