Solved

Couple of .htaccess questions

Posted on 2006-11-05
3
254 Views
Last Modified: 2012-05-05
I've got a couple of questions about .htaccess and .htpasswd files...

1. What is the difference between AuthTypes?
-AuthType Basic
-AuthType Digest

2. What is the best method of protection in the .htpasswd files?
-base64
-md5
-SHA

0
Comment
Question by:basskozz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 19

Assisted Solution

by:VoteyDisciple
VoteyDisciple earned 50 total points
ID: 17876977
The first thing to recognize is that base64 is not an encryption scheme of any kind.  It's a one-to-one encoding of text in a particular format, so if you show me a base64 encoded copy of your password it'll take me all of a second and a half to "decode" it and figure out your real password.

AuthType Basic works by taking your username, a colon, and your password ("scott:tiger") and base64 encoding that, and transmitting that.  If you're on an SSL connection this is perfectly sufficient.  Sure, it's transmitting the password "in the clear" but it's doing so over SSL, so nobody can see it anyway.  If you're not using SSL, this is pretty dumb.

AuthType Digest, on the other hand (which I don't think I've ever used) is supposed to transmit only a hashed value, which thus keeps people from figuring out the user's password.  I do not know offhand the details for how this works.


I'm thoroughly surprised to hear base64 is offered as a mode of "protecting" anything .htpasswd files at all, but if it is then avoiding it like the plague would be a good idea (for the same reason I just gave).

Between MD5 and SHA1 I don't know that there's any real cryptographic argument but on that I could very well be mistaken; I'll leave that for people who studied detailed cryptography more recently than I to fill in.  (-:

0
 

Author Comment

by:basskozz
ID: 17877716
Thanks Votey,

Anyone else able to explain the difference between "Basic"' & "Digest" AuthTypes ?  And md5 vs. SHA ?

Thanks,
-Chris
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 17878223
MD5 and SHA are not encryption methods, but methods of creating a hash that can then be used to perform encryption.

http://en.wikipedia.org/wiki/SHA-1

http://en.wikipedia.org/wiki/MD5


Votey is correct on the Basic authtype.  Your userid and password is just encoded just in case you have a character in either that could be interperted as a control character by the web server.  

Now, authtype Digest uses the password as the input to MD5 and the results are a hash.  The hash is then sent across the network.  The sever uses the password it has for that user, and performs the MD5 routine on it and then compares the results with what it received from the client.

http://apache.active-venture.com/auth-digest.html


0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
CTAs encourage people to do something specific to show interest in your company, product or service. Keep reading to learn why CTAs should always be thought of as extremely important, albeit small, sections of websites.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question