Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
how would someone get their hands on the .htpasswd file?
The only way would be if you're running some old unpatched apache version that has some kind of remote exploit or if you allow something like ssh and haven't changed the permissions on your .htpasswd file. If someone has gotten a hold of your .htpasswd, you need to to upgrade to the latest apache version and change the passwords on your .htpasswd file for that directory and change the permissions of the .htpasswd files to be inaccessible to others.
Precisely. So stop throwing a tantrum in this thread.
namit: The premise of htpasswd is similar to system passwords in Unix/Linux. A hash of the password is made. The password can be cracked, but the hash cannot be reversed to enumerate the password.
I was throwing a tantrum? I'm just trying to understand why this question was asked. There's no real way to get someone's .htpasswd file unless someone's machine got owned. And if someone's machine got owned, an attacker's not going to bother with .htpasswd. The parent poster's question seemed more like wanting some tool or some way of breaking htpasswd. If this is the poster's own system, there's ways of making it so no one other than the apache process and/or the root user can see the .htaccess file. In other words, I felt I answered the question in such a way that you wouldn't have to worry about a compromised .htpasswd file.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.