sKunKbad Posted October 28, 2007 Share Posted October 28, 2007 I have been using a secured folder on my server. I have the standard .htaccess authentication file in that folder, and standard .htpasswd file elsewhere. Today I noticed that I could type in quite a few passwords with my username that would pass authentication, even though they were not valid passwords. Most of the time the authentication works, but when the non-valid passwords were pretty close to the real password, access to the folder was allowed! .htaccess: AuthUserFile /home/content/r/b/g/rbgwebdesign/html/.htpasswd AuthGroupFile /dev/null AuthName "Confidential" AuthType Basic require valid-user .htpasswd rEalaDmin:cw3B.SFCbETnM The ecrypted password is 'wHateverDood', but the problem is, I have been able to gain access with passwords like: wHateverD00d, which is zeros instead of letter o's. wHateverDnnd, which is obviously not even close. wHateverDmmc, which is not even close. wHatevereeee, which is not even close. So I guess my question is, how strong is this method of authentication? It seems pretty weak, and I don't think I'm doing anything wrong. If the password is wrong in the first few letters, then access is not granted. Is there some limit to the number of letters that the password is good for?? Quote Link to comment https://forums.phpfreaks.com/topic/75067-how-strong-is-htpasswd/ Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.