htpasswd limits passwords to 8 characters (or: read the manual dummy)

Turns out htpasswd limits passwords to 8 characters in length by default prior to Apache HTTPd v2.2.18. I run CentOS 5 with HTTPd v2.2.3. I don’t rely on .htaccess password access for anything serious but I do use it as an https ‘front door’ for one of my addresses which does have its own properly secured password access. I’ve been running it like this for years and I was sure something funny was going on entering the username/password combo in there. I swore I was noticing incorrect passwords getting through. Today I decided to test it out thoroughly.

After 15 minutes of testing I was getting very concerned there was a security hole here, but I knew that probably wasn’t the case. A few minutes later I decided to open up the docs and sure enough, it was my fault:

-d Use crypt() encryption for passwords. This is not supported by the httpd server on Windows and Netware and TPF. This algorithm limits the password length to 8 characters. This algorithm is insecure by today’s standards. It used to be the default algorithm until version 2.2.17.

There you go. That explains it. On one hand I know it’s my fault for not knowing my tools, but on the other it’s stretching it to be remembering these things. Oh well, always test your implementations I guess.

Leave a Reply