.htpasswd / .htaccess is letting *almost* any password work

tags:

.htaccess
apache
security

views:

answers:

+2 Q:

.htpasswd / .htaccess is letting almost any password work

I set up .htaccess / .htpassword and It works, except when I type the password incorrectly it still logs me in.. If I use a completely different password, doesn't work. A different user name, it doesn't work.

But if I use the proper user name and mostly the right password, it works?

Example:

password I'm using is "firefight", and "firefighter" seems to work. "Hose" won't.

Any clue?

+2 A:

Only the first 8 characters are taken into consideration.

klausbyskov 2010-09-04 13:59:07

+6 A:

From the htpasswd page:

When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

Richard Fearn 2010-09-04 13:59:44

This is something i never knew about crypt, +1

RobertPitt 2010-09-04 14:00:59

ansaurus

tags:

views:

answers:

.htpasswd / .htaccess is letting almost any password work

related questions