How To Decrypt Htpasswd Password

  

Htpasswd

  1. How To View Encrypted Password
  2. How To Decrypt Htpasswd Password Online

Htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt routine. Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt.

Use MD5 encryption for passwords. On Windows, Netware and TPF, this is the default.d Use crypt encryption for passwords. The default on all platforms but Windows, Netware and TPF. Though possibly supported by htpasswd on all platforms, it is not supported by the httpd server on Windows, Netware and TPF.s Use SHA encryption for passwords. Encrypting a password is useless when you can't keep it encrypted. The instant you decrypt it, it's vulnerable again. No matter how cryptographically hard they are, the encryption and decryption methods are right there for anyone to see and copy-paste anyway. Htpasswd returns 1 if it encounters some problem accessing files, 2 if there was a syntax problem with the command line, 3 if the password was entered interactively and the verification entry didn't match, 4 if its operation was interrupted, 5 if a value is too long (username, filename, password, or final computed record), 6 if the username. Encryption scheme to be used. As well as the four choices listed here, you can also use any other hash supported by passlib, such as md5crypt and sha256crypt, which are linux passwd hashes. If you do so the password file will not be compatible with Apache or Nginx.

Hashing algorithms

Htpasswd
bcrypt $2y$ or $2a$ prefix
This algorithm is currently considered to be very secure. Bcrypt hashes are very slow to compute (which is one one the reasons why they are secure). The cost parameter sets the computing time used (higher is more secure but slower, default: 5, valid: 4 to 31).
Warning : think carefully before you try values above 10, this thing is really slow. You could freeze your computer.
Compatibility : Apache since version 2.4 (needs apr-util 1.5+)
md5 (APR) $apr1$ prefix
Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random salt and the password. This is the default (since Apache version 2.2.18).
Compatibility : all Apache versions, Nginx 1.0.3+.
crypt(), also known as crypt(3) no prefix
It used to be the default algorithm until Apache version 2.2.17. It limits the password length to 8 characters. Considered insecure.
Compatibility : all Apache and Nginx versions, Unix only. Plain ASCII characters only.
salted sha-1 {SSHA} prefix
Considered insecure. The use of salt makes it more time-consuming to crack a list of passwords. However, it does not make dictionary attacks harder when cracking a single password.
Compatibility : Nginx 1.0.3+ only.
sha-1 {SHA} prefix
Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif). This algorithm is insecure by today's standards.
Compatibility : all Apache versions, Nginx 1.3.13+.
Plaintext (no hashing) no prefix for Apache, {PLAIN} for Nginx
Use plaintext passwords. Insecure.
Compatibility : all Windows and Netware Apache versions, Nginx 1.0.3+.

Here you can encrypt passwords for use with password protection with .htaccess and .htpasswd. This functionality is standard on the Apache webserver and works in all normal browsers. Encrypting passwords means they are not send or stored in clear text.

Enter username and password to encrypt the password and get the resultant line to enter in your .htpasswd file. One line for each user.

Encrypt password for .htpasswd

Usernames and passwords entered here are not stored, not disclosed to third party, or used in any other way than to provide this service.

Example line in a .htpasswd file with the username 'userdude' and password 'password':

.htpasswd

The PHP code encrypting the password:

Encryption source code

Htpasswd decrypt password
<?php echo crypt('password', base64_encode('password')); ?>

How to Setup

Attention: the files must be named as .htaccess and .htpasswd. Files prefixed with .ht will by default not be send to clients by the Apache webserver and if somebody makes a request they will get an error 403 Forbidden.

The htaccess file must contain the following lines and be placed in the folder with the content to protect:

.htaccess

AuthName 'Your title for the authentication'
AuthType Basic
AuthUserFile /path/.htpasswd
require valid-user

The above will protect an entire folder, if only specific files should be protected replace the line require valid-user with:

.htaccess

It's possible to add multiple entries and add multiple users to an entry.

.htaccess

<Files file02.jpg>
require user user01 user02 ...
</Files>
How To Decrypt Htpasswd Password

Path to AuthUserFile

For the system to work the correct path to .htpasswd must be set on the AuthUserFile line in .htaccess. The absolute path to the file on the server must be used and to obtain this you can upload a file to the directory where you're going to store .htpasswd (can be deleted again after use):

temp.php

<?php echo __DIR__.DIRECTORY_SEPARATOR.'.htpasswd'; ?>

The ouput will be something like:

temp.php output

And in .htaccess it will then be:

.htaccess

AuthUserFile /usr/local/www/example.com/inc/.htpasswd

An example folder structure could be:

Folder structure example

How To View Encrypted Password

When the setup is in place users will be prompted to enter credentials when requesting the pages and files specified.

How To Decrypt Htpasswd Password Online

This page could also be of interest: HTTP authentication with PHP.