htaccess security

[chlori]

How secure is a .htaccess password protection really?

Sometimes I read it's secure, sometimes I read it's not
really secure (transmitted in clear text)...

How easy is it to hack a directory protected with
..htaccess?

 

[Leif K-Brooks]

How secure is a .htaccess password protection really?

Assuming that the passwords used are secure, and assuming that no new
security holes are discovered in your server software, there's no way to
just pull the passwords out of the sky. A cracker could try to intercept
the packets carrying the password, but that's very hard: in addition to
the knowledge required to pull it off, they would have to put a server
in between your site's user and your server, which would be anything but
easy. If you're protecting government secrets, you'll want to use
something more secure, but HTTP basic authentication should be suitable
for most needs.

How easy is it to hack a directory protected with .htaccess?

Please don't use the word "hack" or "hacker" to refer to malicious acts
or individuals breaking into computer systems. It's insulting to true
hackers.

 

[Toby Inkster]

How secure is a .htaccess password protection really?

If you're using HTTPS then it's very secure. If you're not, but you're
using Digest authentication then it's quite secure. If you're not using
HTTPS and not using Digest authentication then it's vaguely secure.

 

[chlori]

Leif K-Brooks schrieb am 10.01.2005 17:24:

Assuming that the passwords used are secure, and assuming that no new
security holes are discovered in your server software, there's no way to
just pull the passwords out of the sky. A cracker could try to intercept
the packets carrying the password, but that's very hard: in addition to
the knowledge required to pull it off, they would have to put a server
in between your site's user and your server, which would be anything but
easy. If you're protecting government secrets, you'll want to use
something more secure, but HTTP basic authentication should be suitable
for most needs.

Thanks for your answer. I think it's safe enough for my
needs. The idea is just that each member has his own
page where he can easily save notes online while
working and access them from everywhere...

Please don't use the word "hack" or "hacker" to refer to malicious acts
or individuals breaking into computer systems. It's insulting to true
hackers.

Ok, that's news for me... So hackers are friendly,
curious and have a lot of time - crackers are the bad
guys making me buy a firewall etc?

 

[Jan Faerber]

How secure is a .htaccess password protection really?

Sometimes I read it's secure, sometimes I read it's not
really secure (transmitted in clear text)...

How easy is it to hack a directory protected with
.htaccess?

http://httpd.apache.org/docs-2.0/howto/htaccess.html.en#when

a similar topic:

http://core.segfault.pl/~hobbit/mod_chroot/