We help IT Professionals succeed at work.

How does htaccess passwd "encryption" work OR How can I decrypt it?

Medium Priority
20,681 Views
Last Modified: 2012-08-13
How does htaccess passwd "encryption" work OR How can I decrypt it?

Note: This is for educational purposes only.
Comment
Watch Question

You can use some brute force password attack tool which will try
guessing thousands of combinations in a second, and of course,
the time needed will depend on the complexity of the password
used.

This is because the password hash is stored in a pwd file, not
the password itself. The thing becomes worse when you find out
that the hash is a one-way hash. That means, there is no way to
reverse the process to get your pass back.

When you login to some web page, the password you provide to
the web browser is transmitted to the web server, where apache
gets it, and then apache creates the hash from that. After that it
checks if those two hashes match. If they don't, then obviously
the passwords are not the same.

One more thing: you can get the SAME hash value for two
DIFFERENT passwords, because of the way the one-way-hash
method works. But, to be honest, the probability for encountering
such case is rather too low.

The answer is "you cannot decrypt it, but you can break it with
some brute force password guessing tools"

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
if you were wondering which tool for "educational purposes" could
be used to check the strength of the password ;) then you can check:

"The GreyHat Guide to: cracking .htaccess/.htpasswd passwords"
http://www.hungryhacker.com/articles/security/htaccess.html

Author

Commented:
Just a note for MODS, I am actually using this for educational purposes.

Author

Commented:
I am looking for how it is encrypted, eg. HMAC'ed SHA1 ?
"To create the file, use the htpasswd utility that came with Apache."
http://httpd.apache.org/docs/2.0/howto/auth.html

"htpasswd encrypts passwords using either a  version  of  MD5
modified for Apache, or the system's crypt() routine.  Files
managed by htpasswd may contain  both  types  of  passwords;
some  user  records  may  have MD5-encrypted passwords while
others in the same file may have  passwords  encrypted  with
crypt()."
http://httpd.apache.org/docs/1.3/programs/htpasswd.html


It's a modified MD5 mostly.
>  How does htaccess passwd "encryption" work OR How can I decrypt it?
htaccess does not encrypt
you probably mean htpasswd, which encrypts with UNIX's crypt() by default
or do you mean the transport coding if htaccess is used with Basic Authentication, then there is no encryption at all.
how it works is a complex mathmatical formula in a one-way hash

how you decrypt it is, in your, nonexistant because you cant .. thats why its called a one way hash.

the downside of this is of cource there can be collissions, but for basic authentication, a collission isnt really important since your are only verifying an existing presence of the correct string by comparing the hashed value of the input agaisnt the saved hash value of the existing passowrd ... unless someone enters a string taht is the exact same hash value at random .. which isnt realy a viable concern considering the chance of it occurring at random, also becasue after 3 incorrect attempts the script resets to authentication error page.

as to the guy who stated about brute forcing, that isnt a possibility becasue of the nature of the http suthentication and page reset.
ok my typing messed up a little .. i meant to say there is no *known* way currently to decrypt a one way hash otehr than brute force, which isnt a concern on http authentication
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.