Re: htpasswd security

by jalal <the_jalal(at)fastmail.fm>

 Date:  Wed, 7 Jul 2004 21:35:19 +0200
 To:  hwg-techniques(at)hwg.org
 References:  earthlink fastmail ksbe
  todo: View Thread, Original
On Wed 7 July 2004 21:09, David Jones wrote:
> jalal wrote:
> > On Wed 7 July 2004 09:00, Greg Hart wrote:
> >>I've been trying to research the methods and security issues of using
> >>.htpasswd to protect directories. One key point is to not allow
> >>.htpasswd to be seen by a browser, as the visible encryption could be
> >>broken given time. However, I find that there's disagreement on where to
> >>put the file; many sites say to put it in the protected directory with
> >>the .htaccess that refers to it, while others say to put it at the root
> >>directory, above the web document folders. The latter makes more sense
> >>to me, as it would be totally out of reach of any public access, so why
> >>do so many suggest the protected directory? Is there some hidden benefit
> >>there I don't see?
> >>
> >>Thanks for any advice,
> >>
> >>Greg Hart
> >
> > I usually put it in the same directory with the .htaccess file. Some
> > sites I work with have a program (WebPassword) that creates and manages
> > the setup and that stores the htpasswd file in
> > /etc/webpassword/path/to/htaccess (or something like that).
> > Other sites have them stored in other places.
> >
> > I prefer to put them in the same directory as the .htaccess file as it
> > makes it easier to find them and know where they are.
> >
> > It may seem an issue that users can see the .htpasswd or .htaccess files,
> > but by default Apache will not allow them to be delivered to a browser,
> > so that is a non-issue.
> >
> > HTH
>
> IIRC, you need to have them in the directory that you want password
> protected. If you put it in the root of your site, then I'd think it
> would apply to the whole site ...
>
> I haven't looked into it, not having done a site that required password
> protection at that level.

The .htaccess file goes into the directory that you want it applied to.
The .htpasswd goes whereever you like (as long it is 'pointed to' by 
the .htaccess file).

-- 

GPG fingerprint = 3D45 5509 D380 26A4 523E  A9D8 A66A 5F38 CA43 BB0E

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA