LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   htpasswd allows incomplete password (weird) (https://www.linuxquestions.org/questions/linux-security-4/htpasswd-allows-incomplete-password-weird-867597/)

dhrumantgoradia 03-09-2011 09:35 PM
htpasswd allows incomplete password (weird)
 
Hi there, I've setup .htpasswd and a .htaccess file.

The password is a0bc0def0g3

If i enter that password, it let's me in.

if i enter a0bc0def0g it also works. I've never seen this before and is totally weird. Any suggestions?

macemoneta 03-09-2011 09:46 PM
From here:

Quote:
Web password files such as those managed by htpasswd should not be within the Web server's URI space -- that is, they should not be fetchable with a browser.

This program is not safe as a setuid executable. Do not make it setuid.

The use of the -b option is discouraged, since when it is used the unencrypted password appears on the command line.

When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

The SHA encryption format does not use salting: for a given password, there is only one encrypted representation. The crypt() and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult.

dhrumantgoradia 03-09-2011 09:56 PM
Thank you very much, I spent the whole day trying to figure it out, can't believe the answer was right in front of me. I read that page a few time and missed it.

(Kicking myself now, and embarrassed)

macemoneta 03-09-2011 09:58 PM
Don't worry about it, it happens to all of us. I call it 'target blindness' - whatever we're looking for is the one thing our eyes keep skipping over. :)


All times are GMT -5. The time now is 06:12 PM.