Solved

Couple of .htaccess questions

Posted on 2006-11-05
3
239 Views
Last Modified: 2012-05-05
I've got a couple of questions about .htaccess and .htpasswd files...

1. What is the difference between AuthTypes?
-AuthType Basic
-AuthType Digest

2. What is the best method of protection in the .htpasswd files?
-base64
-md5
-SHA

0
Comment
Question by:basskozz
3 Comments
 
LVL 19

Assisted Solution

by:VoteyDisciple
VoteyDisciple earned 50 total points
ID: 17876977
The first thing to recognize is that base64 is not an encryption scheme of any kind.  It's a one-to-one encoding of text in a particular format, so if you show me a base64 encoded copy of your password it'll take me all of a second and a half to "decode" it and figure out your real password.

AuthType Basic works by taking your username, a colon, and your password ("scott:tiger") and base64 encoding that, and transmitting that.  If you're on an SSL connection this is perfectly sufficient.  Sure, it's transmitting the password "in the clear" but it's doing so over SSL, so nobody can see it anyway.  If you're not using SSL, this is pretty dumb.

AuthType Digest, on the other hand (which I don't think I've ever used) is supposed to transmit only a hashed value, which thus keeps people from figuring out the user's password.  I do not know offhand the details for how this works.


I'm thoroughly surprised to hear base64 is offered as a mode of "protecting" anything .htpasswd files at all, but if it is then avoiding it like the plague would be a good idea (for the same reason I just gave).

Between MD5 and SHA1 I don't know that there's any real cryptographic argument but on that I could very well be mistaken; I'll leave that for people who studied detailed cryptography more recently than I to fill in.  (-:

0
 

Author Comment

by:basskozz
ID: 17877716
Thanks Votey,

Anyone else able to explain the difference between "Basic"' & "Digest" AuthTypes ?  And md5 vs. SHA ?

Thanks,
-Chris
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 17878223
MD5 and SHA are not encryption methods, but methods of creating a hash that can then be used to perform encryption.

http://en.wikipedia.org/wiki/SHA-1

http://en.wikipedia.org/wiki/MD5


Votey is correct on the Basic authtype.  Your userid and password is just encoded just in case you have a character in either that could be interperted as a control character by the web server.  

Now, authtype Digest uses the password as the input to MD5 and the results are a hash.  The hash is then sent across the network.  The sever uses the password it has for that user, and performs the MD5 routine on it and then compares the results with what it received from the client.

http://apache.active-venture.com/auth-digest.html


0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Problem to be resolved in this article Currently, development of website and web application can be done without writing thousands of lines of programming code by hand. Description This can be done through by using a open source framework such …
Any business that wants to seriously grow needs to keep the needs and desires of an international audience of their websites in mind. Making a website friendly to international users isn’t prohibitively expensive and can provide an incredible return…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This video teaches users how to migrate an existing Wordpress website to a new domain.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now