[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 17792
  • Last Modified:

How does htaccess passwd "encryption" work OR How can I decrypt it?

How does htaccess passwd "encryption" work OR How can I decrypt it?

Note: This is for educational purposes only.
0
mnb93
Asked:
mnb93
  • 3
  • 2
  • 2
  • +1
6 Solutions
 
nepostojeci_emailCommented:
You can use some brute force password attack tool which will try
guessing thousands of combinations in a second, and of course,
the time needed will depend on the complexity of the password
used.

This is because the password hash is stored in a pwd file, not
the password itself. The thing becomes worse when you find out
that the hash is a one-way hash. That means, there is no way to
reverse the process to get your pass back.

When you login to some web page, the password you provide to
the web browser is transmitted to the web server, where apache
gets it, and then apache creates the hash from that. After that it
checks if those two hashes match. If they don't, then obviously
the passwords are not the same.

One more thing: you can get the SAME hash value for two
DIFFERENT passwords, because of the way the one-way-hash
method works. But, to be honest, the probability for encountering
such case is rather too low.

The answer is "you cannot decrypt it, but you can break it with
some brute force password guessing tools"
0
 
nepostojeci_emailCommented:
if you were wondering which tool for "educational purposes" could
be used to check the strength of the password ;) then you can check:

"The GreyHat Guide to: cracking .htaccess/.htpasswd passwords"
http://www.hungryhacker.com/articles/security/htaccess.html
0
 
mnb93Author Commented:
Just a note for MODS, I am actually using this for educational purposes.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
mnb93Author Commented:
I am looking for how it is encrypted, eg. HMAC'ed SHA1 ?
0
 
nepostojeci_emailCommented:
"To create the file, use the htpasswd utility that came with Apache."
http://httpd.apache.org/docs/2.0/howto/auth.html

"htpasswd encrypts passwords using either a  version  of  MD5
modified for Apache, or the system's crypt() routine.  Files
managed by htpasswd may contain  both  types  of  passwords;
some  user  records  may  have MD5-encrypted passwords while
others in the same file may have  passwords  encrypted  with
crypt()."
http://httpd.apache.org/docs/1.3/programs/htpasswd.html


It's a modified MD5 mostly.
0
 
ahoffmannCommented:
>  How does htaccess passwd "encryption" work OR How can I decrypt it?
htaccess does not encrypt
you probably mean htpasswd, which encrypts with UNIX's crypt() by default
or do you mean the transport coding if htaccess is used with Basic Authentication, then there is no encryption at all.
0
 
floorman67Commented:
how it works is a complex mathmatical formula in a one-way hash

how you decrypt it is, in your, nonexistant because you cant .. thats why its called a one way hash.

the downside of this is of cource there can be collissions, but for basic authentication, a collission isnt really important since your are only verifying an existing presence of the correct string by comparing the hashed value of the input agaisnt the saved hash value of the existing passowrd ... unless someone enters a string taht is the exact same hash value at random .. which isnt realy a viable concern considering the chance of it occurring at random, also becasue after 3 incorrect attempts the script resets to authentication error page.

as to the guy who stated about brute forcing, that isnt a possibility becasue of the nature of the http suthentication and page reset.
0
 
floorman67Commented:
ok my typing messed up a little .. i meant to say there is no *known* way currently to decrypt a one way hash otehr than brute force, which isnt a concern on http authentication
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now