Turns out htpasswd limits passwords to 8 characters in length by default prior to Apache HTTPd v2.2.18. I run CentOS 5 with HTTPd v2.2.3. I don’t rely on .htaccess password access for anything serious but I do use it as an https ‘front door’ for one of my addresses which does have its own properly secured password access. I’ve been running it like this for years and I was sure something funny was going on entering the username/password combo in there. I swore I was noticing incorrect passwords getting through. Today I decided to test it out thoroughly.