• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 269
  • Last Modified:

Couple of .htaccess questions

I've got a couple of questions about .htaccess and .htpasswd files...

1. What is the difference between AuthTypes?
-AuthType Basic
-AuthType Digest

2. What is the best method of protection in the .htpasswd files?
-base64
-md5
-SHA

0
basskozz
Asked:
basskozz
2 Solutions
 
VoteyDiscipleCommented:
The first thing to recognize is that base64 is not an encryption scheme of any kind.  It's a one-to-one encoding of text in a particular format, so if you show me a base64 encoded copy of your password it'll take me all of a second and a half to "decode" it and figure out your real password.

AuthType Basic works by taking your username, a colon, and your password ("scott:tiger") and base64 encoding that, and transmitting that.  If you're on an SSL connection this is perfectly sufficient.  Sure, it's transmitting the password "in the clear" but it's doing so over SSL, so nobody can see it anyway.  If you're not using SSL, this is pretty dumb.

AuthType Digest, on the other hand (which I don't think I've ever used) is supposed to transmit only a hashed value, which thus keeps people from figuring out the user's password.  I do not know offhand the details for how this works.


I'm thoroughly surprised to hear base64 is offered as a mode of "protecting" anything .htpasswd files at all, but if it is then avoiding it like the plague would be a good idea (for the same reason I just gave).

Between MD5 and SHA1 I don't know that there's any real cryptographic argument but on that I could very well be mistaken; I'll leave that for people who studied detailed cryptography more recently than I to fill in.  (-:

0
 
basskozzAuthor Commented:
Thanks Votey,

Anyone else able to explain the difference between "Basic"' & "Digest" AuthTypes ?  And md5 vs. SHA ?

Thanks,
-Chris
0
 
giltjrCommented:
MD5 and SHA are not encryption methods, but methods of creating a hash that can then be used to perform encryption.

http://en.wikipedia.org/wiki/SHA-1

http://en.wikipedia.org/wiki/MD5


Votey is correct on the Basic authtype.  Your userid and password is just encoded just in case you have a character in either that could be interperted as a control character by the web server.  

Now, authtype Digest uses the password as the input to MD5 and the results are a hash.  The hash is then sent across the network.  The sever uses the password it has for that user, and performs the MD5 routine on it and then compares the results with what it received from the client.

http://apache.active-venture.com/auth-digest.html


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now