Password Formats
Notes about the password encryption formats generated and understood by Apache.
There are five formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:
function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password. Insecure. $ htpasswd -nbB myName myPassword
myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
OpenSSL knows the Apache-specific MD5 algorithm.
openssl passwd -crypt myPassword
The salt for a CRYPT password is the first two characters (converted to a binary value). To validate myPassword
Warning: truncating password to 8 characters
Note that using myPasswo
will produce the same result because only the first 8 characters of CRYPT passwords are considered.
(as a Base64-encoded binary value - max 8 chars). To validate myPassword
The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords that are usable by Apache basic authentication.
To create Apache SHA1-variant basic-authentication passwords in various languages:
'{SHA}' . base64_encode(sha1($password, TRUE))
"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
Use the APR function: aprsha1base64
Apache recognizes one format for digest-authentication passwords - the MD5 hash of the string user:realm:password
as a 32-character string of hexadecimal digits. realm
is the Authorization Realm argument to the
directive in apache2.conf.AuthName
java.math.BigInteger bi = new java.math.BigInteger(1, b);
String s = bi.toString(16);
while (s.length() < 32)
Modules | Directives | FAQ | Glossary | Sitemap
Apache HTTP Server Version 2.4
Modules
Modules | Directives | FAQ | Glossary | Sitemap
Password Formats
Available Languages: en | fr
en
Available Languages: en | fr
Apache License, Version 2.0
Copyright 2014 The Apache Software Foundation.Licensed under the Apache License, Version 2.0.