We help IT Professionals succeed at work.

Couple of .htaccess questions

basskozz
basskozz asked
on
Medium Priority
275 Views
Last Modified: 2012-05-05
I've got a couple of questions about .htaccess and .htpasswd files...

1. What is the difference between AuthTypes?
-AuthType Basic
-AuthType Digest

2. What is the best method of protection in the .htpasswd files?
-base64
-md5
-SHA

Comment
Watch Question

The first thing to recognize is that base64 is not an encryption scheme of any kind.  It's a one-to-one encoding of text in a particular format, so if you show me a base64 encoded copy of your password it'll take me all of a second and a half to "decode" it and figure out your real password.

AuthType Basic works by taking your username, a colon, and your password ("scott:tiger") and base64 encoding that, and transmitting that.  If you're on an SSL connection this is perfectly sufficient.  Sure, it's transmitting the password "in the clear" but it's doing so over SSL, so nobody can see it anyway.  If you're not using SSL, this is pretty dumb.

AuthType Digest, on the other hand (which I don't think I've ever used) is supposed to transmit only a hashed value, which thus keeps people from figuring out the user's password.  I do not know offhand the details for how this works.


I'm thoroughly surprised to hear base64 is offered as a mode of "protecting" anything .htpasswd files at all, but if it is then avoiding it like the plague would be a good idea (for the same reason I just gave).

Between MD5 and SHA1 I don't know that there's any real cryptographic argument but on that I could very well be mistaken; I'll leave that for people who studied detailed cryptography more recently than I to fill in.  (-:

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thanks Votey,

Anyone else able to explain the difference between "Basic"' & "Digest" AuthTypes ?  And md5 vs. SHA ?

Thanks,
-Chris
CERTIFIED EXPERT
Top Expert 2014
Commented:
MD5 and SHA are not encryption methods, but methods of creating a hash that can then be used to perform encryption.

http://en.wikipedia.org/wiki/SHA-1

http://en.wikipedia.org/wiki/MD5


Votey is correct on the Basic authtype.  Your userid and password is just encoded just in case you have a character in either that could be interperted as a control character by the web server.  

Now, authtype Digest uses the password as the input to MD5 and the results are a hash.  The hash is then sent across the network.  The sever uses the password it has for that user, and performs the MD5 routine on it and then compares the results with what it received from the client.

http://apache.active-venture.com/auth-digest.html


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.