encrypted passwords

kb posted this at 16:01 — 30th August 2002.

Joined: Feb 2002

hi...my situation is hard to explain...so here's an example:
you are on hypermart's Password Encrypt page
you enter a word or words, and it prints the encrypted version when you press the button...
does this store it in a database? or can it just print the encrypted version? if i were to do this on a site i made, would i have to store it? thanks

Peter J. Boettcher posted this at 19:08 — 30th August 2002.

They have: 812 posts

Joined: Feb 2000

The encryption algorithm can be on the server or the client, although it's not recommended that you store it on the client. The algorithm itself isn't stored in the database, most likely it is just some code on the server (ASP/PHP/etc).

The data that is encrypted can be stored in the database if you choose, then it has to be decrypted when it is pulled out of the database.

PJ | Are we there yet?
pjboettcher.com

kb posted this at 00:01 — 31st August 2002.

He has: 1,380 posts

Joined: Feb 2002

but does it have to be stored for it to work in a .htaccess file?

Peter J. Boettcher posted this at 00:29 — 31st August 2002.

They have: 812 posts

Joined: Feb 2000

I'm not sure what you mean exactly. When you use .htaccess/.htpasswd stuff, the system handles all encryption and storage for you. Are you interfacing something you built with that?

PJ | Are we there yet?
pjboettcher.com

kb posted this at 00:31 — 31st August 2002.

He has: 1,380 posts

Joined: Feb 2002

no...i'm trying to set it up for my own server that will be here soon...after the algorithim processes the password, does it have to be saved if one were to use the password in a .htaccess file?

Suzanne posted this at 00:49 — 31st August 2002.

She has: 5,507 posts

Joined: Feb 2000

I think he's talking about .htpasswrd. I hope. Kyle, have you considered taking some courses.

kb posted this at 01:21 — 31st August 2002.

He has: 1,380 posts

Joined: Feb 2002

ahh yea, stupid me...i meant htpasswd...but no-one will answer me....and classes to figure out how to use htpasswd? i know how...i want to learn how to install it upon a server (enable implementation would prob be a better term)

Suzanne posted this at 02:57 — 31st August 2002.

She has: 5,507 posts

Joined: Feb 2000

classes in, say, server administration, cgi programming -- in general. you ask a lot of questions where you don't know the terminology, or even how to ask the question, so it takes a few rounds before anyone can even try to answer your question.

I'm suggesting classes so at the very least, you can ask questions that people can answer.

Mark Hensler posted this at 07:35 — 31st August 2002.

He has: 4,048 posts

Joined: Aug 2000

[max@host max]$ man htpasswd

htpasswd(1)                                           htpasswd(1)

NAME
       htpasswd - Create and update user authentication files

SYNOPSIS
       htpasswd [ -c ] [ -m | -d | -s | -p ] passwdfile username
       htpasswd  -b [ -c ] [ -m | -d | -s | -p ] passwdfile user­
       name password
       htpasswd -n [ -m | -d | -s | -p ] username
       htpasswd -nb [ -m | -d | -s | -p ] username password

DESCRIPTION
       htpasswd is used to create and update the flat-files  used
       to  store  usernames and password for basic authentication
       of HTTP users.  If htpasswd cannot access a file, such  as
       not  being  able  to write to the output file or not being
       able to read the file in order to update it, it returns an
       error status and makes no changes.

       Resources  available  from the httpd Apache web server can
       be restricted to just the users listed in the  files  cre­-
       ated  by htpasswd.  This program can only manage usernames
       and passwords stored in a flat-file. It  can  encrypt  and
       display  password  information  for  use in other types of
       data stores, though.  To use a DBM database see dbmmanage.

       htpasswd  encrypts passwords using either a version of MD5
       modified for Apache,  or  the  system's  crypt()  routine.
       Files  managed by htpasswd may contain both types of pass­
       words; some user records may have MD5-encrypted  passwords
       while others in the same file may have passwords encrypted
       with crypt().

       This manual page only lists the  command  line  arguments.
       For  details of the directives necessary to configure user
       authentication in httpd see the Apache  manual,  which  is
       part  of  the  Apache  distribution  or  can  be  found at
       <URL:<a href="http://httpd.apache.org/" class="bb-url">http://httpd.apache.org/</a>>.

OPTIONS
       -b     Use batch mode; i.e., get  the  password  from  the
              command  line  rather  than  prompting for it. This
              option should be used with extreme care, since  the
              password is clearly visible on the command line.

       -c     Create   the   passwdfile.  If  passwdfile  already
              exists, it is rewritten and truncated.  This option
              cannot be combined with the -n option.

       -n     Display  the results on standard output rather than
              updating a file.  This  is  useful  for  generating
              password records acceptable to Apache for inclusion
              in non-text data stores.  This option  changes  the
              syntax  of  the  command line, since the passwdfile
              argument (usually the first one)  is  omitted.   It
              cannot be combined with the -c option.

       -m     Use  Apache's modified MD5 algorithm for passwords.
              Passwords encrypted with this algorithm are  trans­
              portable  to  any platform (Windows, Unix, BeOS, et
              cetera) running Apache 1.3.9 or later.  On  Windows
              and TPF, this flag is the default.

       -d     Use  crypt()  encryption for passwords. The default
              on all platforms but Windows and TPF. Though possi­
              bly  supported  by htpasswd on all platforms, it is
              not supported by the httpd server  on  Windows  and
              TPF.

       -s     Use SHA encryption for passwords. Faciliates migra­
              tion from/to Netscape servers using the LDAP Direc­
              tory Interchange Format (ldif).

       -p     Use  plaintext passwords. Though htpasswd will sup­
              port creation on all platforms,  the  httpd  deamon
              will  only  accept  plain text passwords on Windows
              and TPF.

       passwdfile
              Name of the file to contain the user name and pass­
              word.  If  -c  is given, this file is created if it
              does not already exist, or rewritten and  truncated
              if it does exist.

       username
              The  username to create or update in passwdfile. If
              username does not exist in this file, an  entry  is
              added. If it does exist, the password is changed.

       password
              The  plaintext  password to be encrypted and stored
              in the file.  Only used with the -b flag.

EXIT STATUS
       htpasswd returns a zero status ("true")  if  the  username
       and  password  have  been successfully added or updated in
       the passwdfile.  htpasswd returns 1 if it encounters  some
       problem  accessing  files, 2 if there was a syntax problem
       with the command line,  3  if  the  password  was  entered
       interactively  and  the verification entry didn't match, 4
       if its operation was interrupted, 5 if a value is too long
       (username,  filename, password, or final computed record),
       and 6 if the username contains illegal characters (see the
       RESTRICTIONS section).

EXAMPLES
       htpasswd /usr/local/etc/apache/.htpasswd-users jsmith

              Adds or modifies the password for user jsmith.  The
              user is prompted for the password.  If executed  on
              a  Windows  system,  the password will be encrypted
              using the modified Apache MD5 algorithm; otherwise,
              the  system's crypt() routine will be used.  If the
              file does  not  exist,  htpasswd  will  do  nothing
              except return an error.

       htpasswd -c /home/doe/public_html/.htpasswd jane

              Creates  a  new  file and stores a record in it for
              user jane.  The user is prompted for the  password.
              If the file exists and cannot be read, or cannot be
              written, it is not altered and htpasswd  will  dis­
              play a message and return an error status.

       htpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve

              Encrypts   the   password  from  the  command  line
              (Pwd4Steve) using the MD5 algorithm, and stores  it
              in the specified file.

SECURITY CONSIDERATIONS
       Web  password  files  such  as  those  managed by htpasswd
       should not be within the Web server's URI  space  --  that
       is, they should not be fetchable with a browser.

       The  use of the -b option is discouraged, since when it is

       The  use of the -b option is discouraged, since when it is
       used the unencrypted password appears on the command line.

RESTRICTIONS
       On the Windows and MPE platforms, passwords encrypted with
       htpasswd are limited to no more  than  255  characters  in
       length.  Longer passwords will be truncated to 255 charac­
       ters.

       The MD5 algorithm used by  htpasswd  is  specific  to  the
       Apache  software; passwords encrypted using it will not be
       usable with other Web servers.

       Usernames are limited to 255 bytes and may not include the
       character ':'.

SEE ALSO
       httpd(8)  and  the scripts in support/SHA1 which come with
       the distribution.

                             May 2000                           1

Mark Hensler
If there is no answer on Google, then there is no question.

Mark Hensler posted this at 07:37 — 31st August 2002.

He has: 4,048 posts

Joined: Aug 2000

Ya know, it might have been easier to just link to here:
http://httpd.apache.org/docs/programs/htpasswd.html

zollet posted this at 15:41 — 31st August 2002.

He has: 1,016 posts

Joined: May 2002

Kyle,

if you're getting a control panel with your server, it'll most likely have a web protect script included where you can manage these through the web. But then again, it's good to learn how to do things through the shell since you're going to have to manage this server.

kb posted this at 17:22 — 31st August 2002.

He has: 1,380 posts

Joined: Feb 2002

ok...
suzanne: i understand what you are saying, but it is hard to describe what i want, when i can't totally tell you what i need it for and why. and...i understand most of what is done, but not necessarily all the terms...and alot of what i ask here is me trying to learn/figure out things...not necessarily tweak. you may have noticed i have posted less for help, and more to help.
mark: thanks
sarvi: it isnt' coming with a control panel...its a custom built server, nothing coming with it

nike_guy_man posted this at 18:17 — 31st August 2002.

They have: 840 posts

Joined: Sep 2000

Can't you order a control panel with it?
Using htpasswd in *nix is simple enough for me... I've tried it out a few times and it protects it fine...
However, I've found that sessions in PHP work just as easily, if not more easily...
With PHP, I write in a session code to see if they are logged in... I title that 'protect.php' then I include that at the top of every page I want protected. That way, you can protect certain files, or all the files in a directory.
If you don't want 1 file in a directory protected, it is kind of a pain to do with htpasswd, but very easy with PHP.
Try it out