Re: htpasswd security
by jalal <the_jalal(at)fastmail.fm>
|
Date: |
Wed, 7 Jul 2004 10:38:23 +0200 |
To: |
hwg-techniques(at)hwg.org |
References: |
earthlink |
|
todo: View
Thread,
Original
|
|
On Wed 7 July 2004 09:00, Greg Hart wrote:
> I've been trying to research the methods and security issues of using
> .htpasswd to protect directories. One key point is to not allow
> .htpasswd to be seen by a browser, as the visible encryption could be
> broken given time. However, I find that there's disagreement on where to
> put the file; many sites say to put it in the protected directory with
> the .htaccess that refers to it, while others say to put it at the root
> directory, above the web document folders. The latter makes more sense
> to me, as it would be totally out of reach of any public access, so why
> do so many suggest the protected directory? Is there some hidden benefit
> there I don't see?
>
> Thanks for any advice,
>
> Greg Hart
I usually put it in the same directory with the .htaccess file. Some sites I
work with have a program (WebPassword) that creates and manages the setup and
that stores the htpasswd file in /etc/webpassword/path/to/htaccess (or
something like that).
Other sites have them stored in other places.
I prefer to put them in the same directory as the .htaccess file as it makes
it easier to find them and know where they are.
It may seem an issue that users can see the .htpasswd or .htaccess files, but
by default Apache will not allow them to be delivered to a browser, so that
is a non-issue.
HTH
--
GPG fingerprint = 3D45 5509 D380 26A4 523E A9D8 A66A 5F38 CA43 BB0E
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA