Go Premium for a chance to win a PS4. Enter to Win


How to validate a plaintext username/password against an existing .htpasswd file?

Posted on 2009-05-16
Medium Priority
Last Modified: 2012-05-07
Hello experts,

I have an unusual question about an .htpasswd file. I've recently rebuilt a website on a LAMP box; the old site has a members area protected with .htaccess/.htpasswd. The new site uses a different method of access control. When the new site is launched, I want to make a special login area for the members of the old site where they can enter their username/password and receive a coupon code for a free month of access if they cancel their old membership and sign up again under the new system.

My problem is that I'm not sure how to do this. I thought it would be simple to take the username/password entered in the special login area and use the htpasswd program on the server to validate the combination. For example, let's say the person claiming to be an existing member gives this username/password combo:


and let's say this line exists in the .htpasswd file:


How can I verify that "Um9Ykdtrljx1s" does, or does not, represent "abc123"?

Does the htpasswd program use a one-way hash to produce its encrypted password? If so, there must be a hash key on the system somewhere that I could use on the user-supplied password to produce an encrypted string that could be compared to the one for that user in the .htpasswd file.

If I can't use the htpasswd program on apache for this, what else can I do? This must have a simple solution somehow.

If you can help, I'd really appreciate it!

Thank you,
Question by:utzi
  • 2
  • 2
LVL 11

Accepted Solution

Todd Mummert earned 2000 total points
ID: 24403583

assuming this is unix

use crypt

man 3 crypt

the first two characters of the .htpasswd password are the salt for the 2nd argument of crypt.

So pass the plaintext password and the salt to crypt() and check against htpasswd

Author Comment

ID: 24403593
Thanks for your reply! I'll try that and post what I find... might be an hour before I can get to it.
LVL 11

Expert Comment

by:Todd Mummert
ID: 24403614

No problem.  I should have mentioned that many languages (perl, php)  have a simliarly named crypt function that takes the same type of arguments.

Author Closing Comment

ID: 31623708
Excellent... I just used PHP's crypt() to do this and it works as desired.  I didn't even need to split off the first two chars for the salt. Thanks for the info!

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month6 days, 2 hours left to enroll

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question