View Full Version : Apache .htpasswd inquiry.

01-29-2009, 02:05 AM
1) Script Title: Apache .htaccess & .htpasswd

2) Script URL (on DD): http://www.tools.dynamicdrive.com/password/

3) Describe problem:

1.) when using the password generator (http://www.tools.dynamicdrive.com/password/), for the .htpasswd file, i notice that no matter how long the actual password is, the encrypted version only shows the first 13 characters. (and i'm asking this right now, as atm i can not test this for myself. if i could, i would just create a 13+ character password and try it using only the first 13 characters, and if it accepts it, then i'd know that after 13 characters it gets culled.) so is the password limited to only 13 characters ? (or are only 13 characters shown for security reasons?)

1b.) if the answer to the above is that it is not limited to 13 characters, then that brings up another question: how does the file store more then 13 characters when it only has 13 ???? (unless i don't get the gist of how the whole thing works) shouldn't the number of characters shown in the encrypted file be the same in length as your password length ??

1c.) why is the password limited to only alphanumeric characters ? is it a limitation of the apache rules for .htpasswd ? (because using other characters would surely greatly enhance the password)

1d.) with my previous host i did have access to the level prior to the public path for my server. now i'm using shared godaddy hosting (linux) and i do not have such access. so what would my path be now if for example i wanted to protect the contents of folder 2 ? (ie: www.mysite.com/folder1/folder2/) and since i no longer have access to a level above the public folder, does this mean i shouldn't even bother with trying to use the apache .htpasswd/.htaccess method ?? (but if i should still use it, what ways can i make it - the using of the method - more secure ?)


01-29-2009, 06:58 AM
1) Regarding the password length at which point any characters entered is ignored, I believe this is a Apache setting, with 13 being the default. I could be entirely wrong, but here's a thread that sheds some light on the issue: http://www.webmasterworld.com/apache/3283888.htm

2) There are a few other characters beside alphanumeric that are allowed I believe, but just for sake of simplicity, I made the tool to only accept those characters.

3) Basically .htaccess protects the directory it's in, plus all sub directories of it. Your non WWW root directory do not need protection since it's non WWW accessible already.

01-29-2009, 07:04 AM
3) Basically .htaccess protects the directory it's in, plus all sub directories of it. Your non WWW root directory do not need protection since it's non WWW accessible already.

you lost me. i clearly stated that with my current host (shared godaddy) i do NOT have access to a directory other then my site's root. so i can NOT place the .htaccess as it is recommended. the one i'm using now is placed in the root of my site (mariosworld.org) with my previous host i could go down one more directory before that, which was actually called "www" and place it there. i can no longer do this.

01-29-2009, 06:34 PM
That's my point actually- it shouldn't matter whether you place your .htaccess file in the directory above (one level up) from the root www directory, or within the root www directory itself:


When it comes to password protection, .htaccess protects web pages from being viewed by outsiders. Placing the file in either of the locations above accomplish the same thing- that is, it prompts the user for a password when he/she goes to any page in /mysite/www.

01-30-2009, 12:16 AM
??? really ??
then what about the bold statement. (i'm easily confused)

Q: For 2) above, what should I enter as the path?
A: ".htpasswd" is a text file that is used to contain your usernames and encrypted passwords. Enter the path you will be placing your .htpasswd file (which contains the usernames/passwords) on the server. It should be a non user accessible location, such as directly above your public HTML folder. This is to prevent visitors from directly viewing this file in their web browser.

01-30-2009, 03:53 AM
Ideally you should always place the .htaccess file above the web accessible, /www directory, in case your server isn't configured to automatically disallow viewing of .htaccess files, by going to http://mysite.com/.htaccess, for example. However, most web hosts disable this by default already, so it's not an issue as long as you belong in that category.

10-22-2009, 01:32 PM
Is there a way we can add exception to one file under the directory protected by .htpasswd", like an "index.html".