About htpasswd – The file to store passwords

The htpasswd file is used when password protecting a website or a directory using HTTP Authentication and Apache’s htaccess files.

The htpasswd file contains username in plain text (unencrypted) and a hashed (encrypted) password.

Each line contains a username and a password separated by a colon “:”. You can not see the actual passwords as they are hashed (encrypted) using a complex algorithm. The default algorithm is different from platform to platform. On Windows the passwords are hashed using MD5, and on Linux its based on a system function called “crypt()”.

Normally the htpasswd file is named .htpasswd, but you can name your password file what every you like. You could call it “passwords.txt”, however, Apache is usually configured to prevent access to .ht* files – starting with “.ht”. If you name your password file “passwords.txt”, a user could access it, and retrieve all valid usernames. Since the passwords are hashed he can’t use them directly, but it will help him gain access using brute force.

It is therefore recommended to name a password file .htpasswd.

Hashed passwords can be generated with the command-line tool htpasswd (htpasswd.exe on Windows) which is part of a normal Apache installation. You can also create passwords yourself using PHP.

Leave a Reply