'''.htpasswd''' is a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server. The name of the file is given in the .htaccess configuration, and can be anything, although ".htpasswd" is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with a dot to be hidden.<ref>{{Cite web |date=2023-05-15 |title=Understanding Hidden Files and Folders in Your Home Directory – TecAdmin |url=https://tecadmin.net/understanding-hidden-files-in-your-home-directory/ |access-date=2024-02-08 |language=en-US}}</ref> The <code>htpasswd</code> command is used to manage .htpasswd file entries.<ref>{{Cite web |last=David |first=Jackson |date=July 30, 2023 |title=Mastering Htpasswd Command in Linux |url=https://linuxtldr.com/htpasswd-command/ |website=Linux TLDR}}</ref>

== History == htpasswd was first added in the NCSA HTTPd server,<ref>{{Cite web |title=NCSA httpd AuthUserFile |url=https://www6.uniovi.es/~antonio/ncsa_httpd/setup/access/AuthUserFile.html |access-date=2024-02-08 |website=www6.uniovi.es}}</ref> which is the predecessor to Apache.<ref>{{Cite web |title=About the Apache HTTP Server Project - The Apache HTTP Server Project |url=https://httpd.apache.org/ABOUT_APACHE.html |access-date=2024-02-08 |website=httpd.apache.org}}</ref> The hash historically used "UNIX crypt" style with MD5 or SHA1 as common alternatives.<ref name="httpd-apaache-docs">{{cite web |title=htpasswd - Manage user files for basic authentication |url=https://httpd.apache.org/docs/current/programs/htpasswd.html |accessdate=2013-11-30}}</ref> In Apache 2.4, the bcrypt algorithm was added.<ref name=":0" />

== Usage == The file consists of lines, with each line containing a username, followed by a colon, followed by a string containing the hashed password optionally prepended by an algorithm specifier ("$2y$", "$apr1$" or "{SHA}") and/or salt.<ref name=":0">{{Cite web |title=Password Formats - Apache HTTP Server Version 2.4 |url=https://httpd.apache.org/docs/2.4/misc/password_encryptions.html |access-date=2024-02-08 |website=Apache}}</ref><ref>{{Cite web |date=2023-12-20 |title=HTTP authentication - HTTP {{!}} MDN |url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication |access-date=2024-02-08 |website=developer.mozilla.org |language=en-US}}</ref> Athelstan:RLjXiyxx56D9s Mama:RLMzFazUFPVRE Papa:RL8wKTlBoVLKk

Resources available from the Apache HTTP Server can be restricted to just the users listed in the files created by htpasswd. The .htpasswd file can be used to protect the entire directory it is placed in, as well as particular files.<ref>{{Cite web |last=Services |first=Chameleon Web |date=2014-03-24 |title=Password Protect File or Folder using .htaccess {{!}} Chameleon Web Services |url=https://www.chameleon.co.uk/password-protect-file-or-folder-using-htaccess/ |access-date=2024-02-08 |language=en-GB}}</ref>

== Security issues == The only algorithm accepted by htpasswd that is still considered secure by today's standards is bcrypt,<ref>{{Cite web |title=htpasswd file generator |url=http://aspirine.org/htpasswd_en.html |access-date=2024-02-08 |website=aspirine.org}}</ref> and many formats do not use salting making it vulnerable to dictionary attacks. The crypt() algorithm only uses the first 8 characters of any given password, discarding any past that.<ref name="httpd-apaache-docs" />

==See also== *Apache HTTP Server *Configuration file

== References == {{reflist}}

==External links== *[https://httpd.apache.org/docs/current/programs/htpasswd.html Apache: htpasswd - Manage user files for basic authentication]

{{DEFAULTSORT:Htpasswd}} Category:Configuration files Category:Web technology

{{web-stub}}