How does htaccess passwd "encryption" work OR How can I decrypt it?

Posted on 2006-03-30
Last Modified: 2012-08-13
How does htaccess passwd "encryption" work OR How can I decrypt it?

Note: This is for educational purposes only.
Question by:mnb93
    LVL 8

    Assisted Solution

    You can use some brute force password attack tool which will try
    guessing thousands of combinations in a second, and of course,
    the time needed will depend on the complexity of the password

    This is because the password hash is stored in a pwd file, not
    the password itself. The thing becomes worse when you find out
    that the hash is a one-way hash. That means, there is no way to
    reverse the process to get your pass back.

    When you login to some web page, the password you provide to
    the web browser is transmitted to the web server, where apache
    gets it, and then apache creates the hash from that. After that it
    checks if those two hashes match. If they don't, then obviously
    the passwords are not the same.

    One more thing: you can get the SAME hash value for two
    DIFFERENT passwords, because of the way the one-way-hash
    method works. But, to be honest, the probability for encountering
    such case is rather too low.

    The answer is "you cannot decrypt it, but you can break it with
    some brute force password guessing tools"
    LVL 8

    Assisted Solution

    if you were wondering which tool for "educational purposes" could
    be used to check the strength of the password ;) then you can check:

    "The GreyHat Guide to: cracking .htaccess/.htpasswd passwords"
    LVL 5

    Author Comment

    Just a note for MODS, I am actually using this for educational purposes.
    LVL 5

    Author Comment

    I am looking for how it is encrypted, eg. HMAC'ed SHA1 ?
    LVL 8

    Accepted Solution

    "To create the file, use the htpasswd utility that came with Apache."

    "htpasswd encrypts passwords using either a  version  of  MD5
    modified for Apache, or the system's crypt() routine.  Files
    managed by htpasswd may contain  both  types  of  passwords;
    some  user  records  may  have MD5-encrypted passwords while
    others in the same file may have  passwords  encrypted  with

    It's a modified MD5 mostly.
    LVL 51

    Assisted Solution

    >  How does htaccess passwd "encryption" work OR How can I decrypt it?
    htaccess does not encrypt
    you probably mean htpasswd, which encrypts with UNIX's crypt() by default
    or do you mean the transport coding if htaccess is used with Basic Authentication, then there is no encryption at all.
    LVL 5

    Assisted Solution

    how it works is a complex mathmatical formula in a one-way hash

    how you decrypt it is, in your, nonexistant because you cant .. thats why its called a one way hash.

    the downside of this is of cource there can be collissions, but for basic authentication, a collission isnt really important since your are only verifying an existing presence of the correct string by comparing the hashed value of the input agaisnt the saved hash value of the existing passowrd ... unless someone enters a string taht is the exact same hash value at random .. which isnt realy a viable concern considering the chance of it occurring at random, also becasue after 3 incorrect attempts the script resets to authentication error page.

    as to the guy who stated about brute forcing, that isnt a possibility becasue of the nature of the http suthentication and page reset.
    LVL 5

    Assisted Solution

    ok my typing messed up a little .. i meant to say there is no *known* way currently to decrypt a one way hash otehr than brute force, which isnt a concern on http authentication

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now