Couple of .htaccess questions

Posted on 2006-11-05
Medium Priority
Last Modified: 2012-05-05
I've got a couple of questions about .htaccess and .htpasswd files...

1. What is the difference between AuthTypes?
-AuthType Basic
-AuthType Digest

2. What is the best method of protection in the .htpasswd files?

Question by:basskozz
LVL 19

Assisted Solution

VoteyDisciple earned 200 total points
ID: 17876977
The first thing to recognize is that base64 is not an encryption scheme of any kind.  It's a one-to-one encoding of text in a particular format, so if you show me a base64 encoded copy of your password it'll take me all of a second and a half to "decode" it and figure out your real password.

AuthType Basic works by taking your username, a colon, and your password ("scott:tiger") and base64 encoding that, and transmitting that.  If you're on an SSL connection this is perfectly sufficient.  Sure, it's transmitting the password "in the clear" but it's doing so over SSL, so nobody can see it anyway.  If you're not using SSL, this is pretty dumb.

AuthType Digest, on the other hand (which I don't think I've ever used) is supposed to transmit only a hashed value, which thus keeps people from figuring out the user's password.  I do not know offhand the details for how this works.

I'm thoroughly surprised to hear base64 is offered as a mode of "protecting" anything .htpasswd files at all, but if it is then avoiding it like the plague would be a good idea (for the same reason I just gave).

Between MD5 and SHA1 I don't know that there's any real cryptographic argument but on that I could very well be mistaken; I'll leave that for people who studied detailed cryptography more recently than I to fill in.  (-:


Author Comment

ID: 17877716
Thanks Votey,

Anyone else able to explain the difference between "Basic"' & "Digest" AuthTypes ?  And md5 vs. SHA ?

LVL 57

Accepted Solution

giltjr earned 1000 total points
ID: 17878223
MD5 and SHA are not encryption methods, but methods of creating a hash that can then be used to perform encryption.



Votey is correct on the Basic authtype.  Your userid and password is just encoded just in case you have a character in either that could be interperted as a control character by the web server.  

Now, authtype Digest uses the password as the input to MD5 and the results are a hash.  The hash is then sent across the network.  The sever uses the password it has for that user, and performs the MD5 routine on it and then compares the results with what it received from the client.



Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
How do you create a user-centered user experience on your website? And what are some things you should consider in the process?
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question