How to validate a plaintext username/password against an existing .htpasswd file?

Posted on 2009-05-16
Last Modified: 2012-05-07
Hello experts,

I have an unusual question about an .htpasswd file. I've recently rebuilt a website on a LAMP box; the old site has a members area protected with .htaccess/.htpasswd. The new site uses a different method of access control. When the new site is launched, I want to make a special login area for the members of the old site where they can enter their username/password and receive a coupon code for a free month of access if they cancel their old membership and sign up again under the new system.

My problem is that I'm not sure how to do this. I thought it would be simple to take the username/password entered in the special login area and use the htpasswd program on the server to validate the combination. For example, let's say the person claiming to be an existing member gives this username/password combo:


and let's say this line exists in the .htpasswd file:


How can I verify that "Um9Ykdtrljx1s" does, or does not, represent "abc123"?

Does the htpasswd program use a one-way hash to produce its encrypted password? If so, there must be a hash key on the system somewhere that I could use on the user-supplied password to produce an encrypted string that could be compared to the one for that user in the .htpasswd file.

If I can't use the htpasswd program on apache for this, what else can I do? This must have a simple solution somehow.

If you can help, I'd really appreciate it!

Thank you,
Question by:utzi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 11

Accepted Solution

climbgunks earned 500 total points
ID: 24403583

assuming this is unix

use crypt

man 3 crypt

the first two characters of the .htpasswd password are the salt for the 2nd argument of crypt.

So pass the plaintext password and the salt to crypt() and check against htpasswd

Author Comment

ID: 24403593
Thanks for your reply! I'll try that and post what I find... might be an hour before I can get to it.
LVL 11

Expert Comment

ID: 24403614

No problem.  I should have mentioned that many languages (perl, php)  have a simliarly named crypt function that takes the same type of arguments.

Author Closing Comment

ID: 31623708
Excellent... I just used PHP's crypt() to do this and it works as desired.  I didn't even need to split off the first two chars for the salt. Thanks for the info!

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question