[ACCEPTED]-How secure is .htaccess password protection?-.htaccess

Accepted answer
Score: 77

Several things to notice:

Adding security 61 in a .htaccess can always be done without 60 the .htaccess, by using <Directory> instructions in 59 the main configuration (or the virtualhost 58 configuration). It will go faster (if you 57 remove completly support for .htaccess with 56 AllowOverride None) and you wont get the risk of someone altering 55 your .htaccess.

There's several ways of adding 54 security in .htaccess files, one of these 53 ways is by using Basic HTTP Authentification 52 with .htpasswd files. These .htpasswd files shouldn't 51 be in the web directory root. One of the 50 other possibility is using HTTP Digest Authentification, with the restriction 49 that very old browsers won't support it 48 (like IE6).

We usually encounter HTTP Basic 47 Authentification. This is a very weak protection, simply 46 because of the way it works. At the 1st 45 request you're rejected, then your browser 44 ask you for a password and login, and memorize 43 this password login association for the 42 webserver requested. Then for every request 41 sent to this webserver until you close your 40 browser the login and password will be added in the request header, unencrypted. There's simply a base64 encoding 39 applied to the string 'Yourlogin:Yourpassword', to 38 make it look like a pure ASCII7 strings 37 and prevent encoding problems.

So anyone 36 sniffing your request (wifi hotspot, man 35 in the middle, local network, echo switch, etc) will 34 know your password and login. Bad. The rule 33 is ":

never ever use Basic HTTP Authentification 32 if the connection isn't HTTPS (SSL).

If 31 your webserver is completly in HTTPS no 30 problem (see edit on the bottom), the clear 29 text/password are encrypted by SSL.

For the 28 brute force problem (and yes, some people 27 can try to brute force the login/password, except 26 if you tune a mod_security module to prevent that) the Security Consideration of the htpasswd page is 25 quite clear:

When using the crypt() algorithm, note 24 that only the first 8 characters of the 23 password are used to form the password. If 22 the supplied password is longer, the extra 21 characters will be silently discarded


On 20 the Windows and MPE platforms, passwords 19 encrypted with htpasswd are limited to no 18 more than 255 characters in length. Longer 17 passwords will be truncated to 255 characters.

So 16 use SHA encoding hashing for passwords (even if 15 it's not salted).

Another way to let authenticated 14 user browse a directory content is to handle the directory listing and file upload within your application (PHP, Tomcat, etc) and 13 not with the apache automatic listing. In 12 term of security the automatic listing module 11 (mod_autoindex) is something you shouldn't 10 even have on your running apache.


Full HTTPS 9 server is not required if you want to protect 8 only some url with HTTP authentification. What 7 you really need is that all these protected url should be in https, if non-protected url 6 are in the http domain the authentification 5 headers won't be used as this is a different 4 domain (and the authentification headers 3 are sent by domain). So you could add basic 2 redirection rules in the http domain for 1 these url, maybe something like that:

RedirectMatch 301 ^/secure/(.*)$ https://www.example.com/secure/$1

More Related questions