Editing .htpasswd in PHP

software development


Hi all,

Does any have any suggestions on the best way to manage users and passwords in the .htpasswd file using PHP?

The Dreamhost generated file uses a salted hash (I think) but I can still authenticate users whose passwords are stored in plain text in the same file.

Is there a particular hashing method I should use, or is the fact that I moved the .htpasswd file to a folder outside of the web-facing directory sufficient enough to warrant using plain text passwords?

EDIT: Having looked at my htpasswd file again, the demo user I added to test with already existed further up, so my being able to login was an error on my part.
How do I correctly encrypt passwords so that the server will authenticate them?


You can generate the appropriate hash format yourself using the PHP crypt() function. (The default CRYPT_STD_DES format is sufficient.) You can also use the “htpasswd” command-line tool.


Hi Andrew,

I’m looking at PHP’s crypt() function and seen the following example;

[php]if (CRYPT_STD_DES == 1) {
echo 'Standard DES: ’ . crypt(‘rasmuslerdorf’, ‘rl’) . “\n”;

In this example, if my password was to be rasmuslerdorf as in the example, what would the salt be or does it not matter?
Got it!

I’ve sussed it out now, thanks Andrew! :slight_smile:


In case others are interested, I have a tool here.