I am wondering about a password that I have config on a file .htpasswd to protect some of my web site folders.
The main problem is when I have input a valid user name and an invalid password, it can also let me in.
However, the invalid password I have input matches with the first 8 digits of my config password, I mean that the first 8 digits of the inputing password are the same the first 8 digits of the real password.
This is a known limitation of crypt()
From apache htpasswd documentation:
Use crypt() encryption for passwords. This is not supported by the httpd server on Windows and Netware. This algorithm limits the password length to 8 characters. This algorithm is insecure by today's standards. It used to be the default algorithm until version 2.2.17.
When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.
