-   Linux - Security (
-   -   Shell Password -vs- HTPASSWD Password? (

carlosinfl 10-14-2009 10:16 AM

Shell Password -vs- HTPASSWD Password?
I have a mail server that authenticates from the user's shell password listed in /etc/shadow (encrypted) and then my web server has some html documents that are password protected using 'htpasswd'. I tried to copy the encrypted password from /etc/shadow to my web servers htpasswd/passwd file. When I did, it would not let the user in to view the html pages because it did not like their password I copied over from the mail server. Can someone tell me why this does not work? Is the encryption a different algorithm for shell than htpasswd?

forrestt 10-14-2009 10:26 AM

The encryption is a different algorithm, but also using the shell password as a web password isn't something you want to do from a security perspective. The shell is protected by a time delay between attempted logins that is gradually increased with each attempt. The HTTP server does not do this. Therefore, a cracker can hit your web server hundreds of times a second (more or less depending on how you have your server configured), drastically reducing the time it would take to perform a brute force attack on your password.


All times are GMT -5. The time now is 11:58 PM.