Home 0P3N Blog Basic Password Protection with: htpasswd & htaccess
Ready to Start Your Career?
Create Free Account
faildriller s profile image
By: faildriller
November 11, 2016

Basic Password Protection with: htpasswd & htaccess

By: faildriller
November 11, 2016
faildriller s profile image
By: faildriller
November 11, 2016
access-data-436712_640Htpasswd makes it easy to add basic password authentication to a web page. This can be useful for providing an extra layer of security or as a temporary measure, but it's not viable for the long term.Here is my solution to this problem.Create The Password FileThe file should be created within a directory that's not fetchable by external hosts.htpasswd -cB /home/randybutternubs/.htpasswds/.mypasswds butternubsNew password:Re-type new password:Add  an Additional User (randybutternubs) to the htpasswd Filehtpasswd -B /home/randybutternubs/.htpasswds/.mypasswds newuserNew password:Re-type new password:Adding a password for user: newusercat /home/randybutternubs/.htpasswds/.mypasswdsbutternubs:$2y$05$tE79XLYL7aR9RGaOsEEl2uU1f9BIsdnC2iBbXxW4G/Dl7mkpS/YeKnewuser:$2y$05$MLhQplQWSgFUnRjN/Ui9mOJCJj1mu.HD98IwJgwsKmoMxjMT72BKm Add Directives to the .htaccess File Located in the Directory that Needs Password ProtectionAuthType BasicAuthName "Three may keep a secret..."AuthUserFile /home/randybutternubs/.htpasswd/.mypasswdsRequire valid-userNow when a user visits that site, it will prompt them for a username and password.Available Flags You Can UseHere are the available flags that can be used with htpasswd, taken from the man pages.
c- Create a new file.n- Don't update file; display results on stdout.b- Use the password from the command line rather than prompting for it.i- Read password from stdin without verification (for script usage).m- Force MD5 encryption of the password (default).B- Force bcrypt encryption of the password (very secure).C- Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31).d- Force CRYPT encryption of the password (8 chars max, insecure).s- Force SHA encryption of the password (insecure).p- Do not encrypt the password (plaintext, insecure).D- Delete the specified user.v- Verify password for the specified user.
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry