How does htaccess passwd "encryption" work OR How can I decrypt it?

How does htaccess passwd "encryption" work OR How can I decrypt it?

Note: This is for educational purposes only.
LVL 5
mnb93Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nepostojeci_emailCommented:
You can use some brute force password attack tool which will try
guessing thousands of combinations in a second, and of course,
the time needed will depend on the complexity of the password
used.

This is because the password hash is stored in a pwd file, not
the password itself. The thing becomes worse when you find out
that the hash is a one-way hash. That means, there is no way to
reverse the process to get your pass back.

When you login to some web page, the password you provide to
the web browser is transmitted to the web server, where apache
gets it, and then apache creates the hash from that. After that it
checks if those two hashes match. If they don't, then obviously
the passwords are not the same.

One more thing: you can get the SAME hash value for two
DIFFERENT passwords, because of the way the one-way-hash
method works. But, to be honest, the probability for encountering
such case is rather too low.

The answer is "you cannot decrypt it, but you can break it with
some brute force password guessing tools"
0
nepostojeci_emailCommented:
if you were wondering which tool for "educational purposes" could
be used to check the strength of the password ;) then you can check:

"The GreyHat Guide to: cracking .htaccess/.htpasswd passwords"
http://www.hungryhacker.com/articles/security/htaccess.html
0
mnb93Author Commented:
Just a note for MODS, I am actually using this for educational purposes.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

mnb93Author Commented:
I am looking for how it is encrypted, eg. HMAC'ed SHA1 ?
0
nepostojeci_emailCommented:
"To create the file, use the htpasswd utility that came with Apache."
http://httpd.apache.org/docs/2.0/howto/auth.html

"htpasswd encrypts passwords using either a  version  of  MD5
modified for Apache, or the system's crypt() routine.  Files
managed by htpasswd may contain  both  types  of  passwords;
some  user  records  may  have MD5-encrypted passwords while
others in the same file may have  passwords  encrypted  with
crypt()."
http://httpd.apache.org/docs/1.3/programs/htpasswd.html


It's a modified MD5 mostly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ahoffmannCommented:
>  How does htaccess passwd "encryption" work OR How can I decrypt it?
htaccess does not encrypt
you probably mean htpasswd, which encrypts with UNIX's crypt() by default
or do you mean the transport coding if htaccess is used with Basic Authentication, then there is no encryption at all.
0
floorman67Commented:
how it works is a complex mathmatical formula in a one-way hash

how you decrypt it is, in your, nonexistant because you cant .. thats why its called a one way hash.

the downside of this is of cource there can be collissions, but for basic authentication, a collission isnt really important since your are only verifying an existing presence of the correct string by comparing the hashed value of the input agaisnt the saved hash value of the existing passowrd ... unless someone enters a string taht is the exact same hash value at random .. which isnt realy a viable concern considering the chance of it occurring at random, also becasue after 3 incorrect attempts the script resets to authentication error page.

as to the guy who stated about brute forcing, that isnt a possibility becasue of the nature of the http suthentication and page reset.
0
floorman67Commented:
ok my typing messed up a little .. i meant to say there is no *known* way currently to decrypt a one way hash otehr than brute force, which isnt a concern on http authentication
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.