Editing .htpasswd in PHP

software development

#1

Hi all,

Does any have any suggestions on the best way to manage users and passwords in the .htpasswd file using PHP?

The Dreamhost generated file uses a salted hash (I think) but I can still authenticate users whose passwords are stored in plain text in the same file.

Is there a particular hashing method I should use, or is the fact that I moved the .htpasswd file to a folder outside of the web-facing directory sufficient enough to warrant using plain text passwords?


EDIT: Having looked at my htpasswd file again, the demo user I added to test with already existed further up, so my being able to login was an error on my part.
How do I correctly encrypt passwords so that the server will authenticate them?


#2

You can generate the appropriate hash format yourself using the PHP crypt() function. (The default CRYPT_STD_DES format is sufficient.) You can also use the “htpasswd” command-line tool.


#3

Hi Andrew,

I’m looking at PHP’s crypt() function and seen the following example;

[php]if (CRYPT_STD_DES == 1) {
echo 'Standard DES: ’ . crypt(‘rasmuslerdorf’, ‘rl’) . “\n”;
}[/php]

In this example, if my password was to be rasmuslerdorf as in the example, what would the salt be or does it not matter?
[hr]
Got it!

I’ve sussed it out now, thanks Andrew! :slight_smile:


#4


In case others are interested, I have a tool here.