Tutorial
Introduction
When setting up a web server, there are often sections of the site that you wish to restrict access to. Web applications often provide their own authentication and authorization methods, but the web server itself can be used to restrict access if these are inadequate or unavailable.
The maxium length with the default encryption algorithm is 8,so if you use a longer password it will be trimmed without notice,if you want to use a longer password you can use the htpasswd tool with the -s. Whole reason for using MD5 hashes is to keep from saving the password in a decryptable form. To verify authenticity you compare the MD5 sum of a password given with the MD5 sum that was created when the password was created. Then you never sacrifice the password. I have no history or knowledge how the.htpasswd file was created. Apache documentations says that crypt encryption was used to encrypt passwords until version 2.2.17 and MD5 encryption is used since 2.2.18. How may I distinguish which encryption my.htpasswd file uses? Hashes are designed not to be decryptable. Hence there is no way (unless you bruteforce for a loooong time) to get the password from the.htpasswd file. What you need to do is apply the same hash algorithm to the password provided to you and compare it to the hash in the.htpasswd file. If the user and hash are the same then you're a go.
In this guide, we’ll demonstrate how to password protect assets on an Apache web server running on Ubuntu 14.04.
Prerequisites
To get started, you will need access to an Ubuntu 14.04 server environment. You will need a non-root user with sudo privileges in order to perform administrative tasks. To learn how to create such a user, follow our Ubuntu 14.04 initial server setup guide.
Install the Apache Utilities Package
In order to create the file that will store the passwords needed to access our restricted content, we will use a utility called htpasswd. This is found in the apache2-utils package within the Ubuntu repositories.
Update the local package cache and install the package by typing this command. We will take this opportunity to also grab the Apache2 server in case it is not yet installed on the server:
Create the Password File
We now have access to the htpasswd command. We can use this to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called .htpasswd within our /etc/apache2 configuration directory.
The first time we use this utility, we need to add the -c option to create the specified file. We specify a username (sammy in this example) at the end of the command to create a new entry within the file:
You will be asked to supply and confirm a password for the user.
Leave out the -c argument for any additional users you wish to add:
If we view the contents of the file, we can see the username and the encrypted password for each record:
Configure Apache Password Authentication
Now that we have a file with our users and passwords in a format that Apache can read, we need to configure Apache to check this file before serving our protected content. We can do this in two different ways.
The first option is to edit the Apache configuration and add our password protection to the virtual host file. This will generally give better performance because it avoids the expense of reading distributed configuration files. If you have this option, this method is recommended.
If you do not have the ability to modify the virtual host file (or if you are already using .htaccess files for other purposes), you can restrict access using an.htaccessfile. Apache uses.htaccess` files in order to allow certain configuration items to be set within a file in a content directory. The disadvantage is that Apache has to re-read these files on every request that involves the directory, which can impact performance.
Choose the option that best suits your needs below.
Configuring Access Control within the Virtual Host Definition
Begin by opening up the virtual host file that you wish to add a restriction to. For our example, we’ll be using the 000-default.conf file that holds the default virtual host installed through Ubuntu’s apache package:
Inside, with the comments stripped, the file should look similar to this:
How To Decrypt Htpasswd Password Unlocker
Authentication is done on a per-directory basis. To set up authentication, you will need to target the directory you wish to restrict with a <Directory ___> block. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space:
Within this directory block, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:
Save and close the file when you are finished. Restart Apache to implement your password policy:
The directory you specified should now be password protected.
Configuring Access Control with .htaccess Files
If you wish to set up password protection using .htaccess files instead, you should begin by editing the main Apache configuration file to allow .htaccess files:
Find the <Directory> block for the /var/www directory that holds the document root. Turn on .htaccess processing by changing the AllowOverride directive within that block from “None” to “All”:
Save and close the file when you are finished.
Next, we need to add an .htaccess file to the directory we wish to restrict. In our demonstration, we’ll restrict the entire document root (the entire website) which is based at /var/www/html, but you can place this file in any directory you wish to restrict access to:
Within this file, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:
Save and close the file. Restart the web server to password protect all content in or below the directory with the .htaccess file:
Confirm the Password Authentication
To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt that looks like this:
If you enter the correct credentials, you will be allowed to access the content. If you enter the wrong credentials or hit “Cancel”, you will see the “Unauthorized” error page:
Conclusion
You should now have everything you need to set up basic authentication for your site. Keep in mind that password protection should be combined with SSL encryption so that your credentials are not sent to the server in plain text. To learn how to create a self-signed SSL certificate to use with Apache, follow this guide. To learn how to install a commercial certificate, follow this guide.
To password protect a directory or section of your WordPress blog or website, you need to generate an Apache password file, better known as htpasswd file. In this article we will explain how to create a password file for Apache web server, which is the most popular web service used by hosting providers. Below is also a screenshot of an Apache httpasswd file if you had to open it with a text editor such as Microsoft’s Notepad.
Using htpasswd tool to create a htpasswd file
Htpasswrd is the tool you have to use to create an .htpasswd file. It is shipped with almost all Linux distributions which have Apache installed. If you are using Windows, you can use Xampp. Xampp is a lightweight version of an Apache web server and MySQL database server installation on Windows, which any webmaster can use to install a local copy of a WordPress blog or website for testing. To access the htpasswd tool to generate a password file, navigate to c:xamppapachebin directory using the command line.
Note: By default Xampp is installed in c:xampp. If you changed the default installation directory, navigate to [Xampp installation path]apachebin. The same commands and switches apply to both the Linux and Windows version of htpasswd tool.
If you do not have an htpasswd file already, you have to create one and add a username and password to it the first time you run the htpasswd tool. To do so use the below command:
The –c switch means create a new Apache password file. The [password file name] should be changed to the name of the file you want to create, and the [username] should be replaced with the username you want to add to the file. As an example, if you would like to create a password file called .htpasswd and use a username S3cur3Adm!n, use the below command:
Once you run the above command, the tool will ask you to specify a password for the user twice. Once you specify a password, the new Apache username and password file is created and the username entry is added to the .htpasswd file as seen in the below screenshot.
Using htpasswd tool to add entries to existing htpasswd file
If you already have an existing htpasswd file and you would like to add new usernames to it, use the same command mentioned about without the –c switch.
Decrypt Password Online
Advanced htpasswd tool features
By default, the htpasswd uses MD5 to encrypt the passwords in Apache htpasswd files. Use any of the below switches to enforce stronger encryption:
-d to force CRYPT encryption on file
-s to force SHA encryption of passwords on file
You can use the –b switch to use the password specified in the command line rather than having the application prompting for it.
Use the –D switch to delete existing users from the Apache htpasswd file.
For a complete htpasswd tool documentation refer to the Apache hpasswd documentation.
WP White Security Security Tip: Ideally Apache password files (htpasswd) should be stored in a directory which is not accessible via web just in case the web server software is compromised.
Sql Server Decrypt Password
Once you generate your WordPress htpasswd file for Apache, upload it to your web server and configure its path in the htaccess file used to restrict access to a specific location. If you want us to generate htpasswd files for you for FREE, just drop us an email.