You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Milind Sawant <mi...@skandiabank.ch> on 2002/04/16 16:04:52 UTC

RE: basic authentication in apache 1.3.19 ignoring more than 8characters in the password.

Hi

thanks for your concern

The Basic Authentication in apache uses the htpasswd utility to generate
passwords.

A) The default option is -d ( Force CRYPT encryption of the password ) .
	you can create a password of more that 8 characters.
	But only the first 8 characters are relevant.
	as owen boyle has righly pointed out , if "xxxxxxxxYBDCDC" is your password
and on authentication
	if you supply "xxxxxxxxADBDD" as the password , you can log in.

B) Using other options like -m (MD5 encryption ) and -s (SHA encyption) dont
work.
	i can generate the password but get a password mismatch error on
authentication.


Do you have the same experience?


Milind

Milind Sawant
Web Administrator (Apollo)
TCS

+0041 1 288 4675


-----Original Message-----
From: obo@bourse.ch [mailto:obo@bourse.ch]
Sent: 16 April 2002 15:28
To: users@httpd.apache.org
Subject: Re: basic authentication in apache 1.3.19 ignoring more than
8characters in the password.


Pete Nelson wrote:
>
> I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24 on
> Win2k, and both happily took a 19-character password
> (thisisalongpassword).  I am pretty confident that it should also work
> on Apache 1.3.19 on most platforms.

Did you test whether all the characters were significant? AFAIK, apache
uses the system passwd utility which is sensitive only to the first 8
chars. You can put in more if you like but they are not significant. In
other words, "thisisalongpassword" and "thisisalxxxxxxxxx" are the same.

Rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org