Basic Password Protection with: htpasswd & htaccess

November 11, 2016 | Views: 3050

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Htpasswd makes it easy to add basic password authentication to a web page. This can be useful for providing an extra layer of security or as a temporary measure, but it’s not viable for the long term.

Here is my solution to this problem.

Create The Password File

The file should be created within a directory that’s not fetchable by external hosts.

htpasswd -cB /home/randybutternubs/.htpasswds/.mypasswds butternubs
New password:
Re-type new password:

Add  an Additional User (randybutternubs) to the htpasswd File

htpasswd -B /home/randybutternubs/.htpasswds/.mypasswds newuser
New password:
Re-type new password:

Adding a password for user: newuser

cat /home/randybutternubs/.htpasswds/.mypasswds
butternubs:$2y$05$tE79XLYL7aR9RGaOsEEl2uU1f9BIsdnC2iBbXxW4G/Dl7mkpS/YeK
newuser:$2y$05$MLhQplQWSgFUnRjN/Ui9mOJCJj1mu.HD98IwJgwsKmoMxjMT72BKm

 

Add Directives to the .htaccess File Located in the Directory that Needs Password Protection

AuthType Basic
AuthName “Three may keep a secret…”
AuthUserFile /home/randybutternubs/.htpasswd/.mypasswds
Require valid-user

Now when a user visits that site, it will prompt them for a username and password.

Available Flags You Can Use

Here are the available flags that can be used with htpasswd, taken from the man pages.

c- Create a new file.
n- Don’t update file; display results on stdout.
b- Use the password from the command line rather than prompting for it.
i- Read password from stdin without verification (for script usage).

m- Force MD5 encryption of the password (default).
B- Force bcrypt encryption of the password (very secure).
C- Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31).
d- Force CRYPT encryption of the password (8 chars max, insecure).
s- Force SHA encryption of the password (insecure).
p- Do not encrypt the password (plaintext, insecure).
D- Delete the specified user.
v- Verify password for the specified user.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
    • YW! Please be aware htpasswd is still susceptible to brute-force attacks. Use strong passwords (16+ characters) and a secure connection (SSL) for increased security.

  1. The section where it says “Add an Additional User (randybutternubs) to the htpasswd File”, I’m actually adding the user named “newuser” in that particular step. I added this comment hoping to prevent any confusion caused by that typo. It seems these guides are edited after submission; I submitted a request to the cybrary support team asking them to update the guide.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel