0

I am wondering how the Apache server authenticates me with .htpasswd

I have a .htpasswd file inside a folder. The .htpasswd content is generated with php and the password is encrypted with the crypt() function like this:

crypt($password,mb_substr($password,0,2));

The problem is that no matter which salt I use: mb_substr($password,0,2) or my_private_salt or 'whatever' the server will always authenticate me if I pass the correct username/password combination.

So, what's the point with that salt?

Thanks

Qben
  • 2,617
  • 2
  • 24
  • 36
Adrian Georgescu
  • 53
  • 6
  • 3
    It makes it harder for bad guys to decrypt the password. You should use a random salt. – Christoph Diegelmann Sep 27 '13 at 10:12
  • The salt is securing unauthorized access to the `.htaccess`, not the HTTP Auth security. Check this http://stackoverflow.com/questions/6441578/how-secure-is-htaccess-password-protection/6442113#6442113 for references – regilero Sep 27 '13 at 11:19

1 Answers1

1

I found the answer.

The php crypt() function generates a unique hash. If the salt is not specified then a random salt will be generated.

A BIG problem is that only the first 8 characters from the password will be used to generate the hash and only two characters from the salt.

The resulting hash will be composed of the salt + another 11 characters.

For example: if we do: crypt('1234567','12') the result will be "120QBxD1IX.Cw". Notice the first two characters from the hash (12)

This is how the Apache server will know how to encrypt the request and compare it with the saved hash in the .htpasswd file.

For a better explanation please see this link: http://blog.irreverence.co.uk/?p=858

Adrian Georgescu
  • 53
  • 6