Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Adding a salt to .htpasswd?

Tags:

hash

encryption

salt

.htpasswd

Is it possible to add a salt to passwords in .hpasswd files? I assume not since the server would need the salt for each user in order to verify the password and I can't think of how it would get them, but otherwise if the list was to be obtained it would be rather vulnerable. Is there a solution?

Many thanks for your help, Ben

like image 200
Ben Avatar asked Dec 21 '22 21:12

Ben

1 Answers

By default htpasswd uses the standard crypt function and thus passwords are already salted - note in this example that both users have the same password yet the hashes are different:

simon@diablo:~$ htpasswd -b -c htpasswd simon abcd
Adding password for user simon
simon@diablo:~$ htpasswd -b htpasswd simon2 abcd
Adding password for user simon2
simon@diablo:~$ cat htpasswd 
simon:NWvm/LCCxQ64E
simon2:2I.LBzsRqULN6

(note: the -b flag is normally discouraged because other users can see your command line arguments and hence the password)

The first two characters of the hash are the salt; passwords are verified by calling crypt() again. Entering the wrong password produces a string that's unequal to the hashed password:

>>> from crypt import crypt
>>> crypt("wrongpass", "NWvm/LCCxQ64E")
'NWbxQgX1unvso'

whereas the correct password produces the expected hash:

>>> crypt("abcd", "NWvm/LCCxQ64E")
'NWvm/LCCxQ64E'

htpasswd -m uses a different algorithm that's MD5-based and uses a longer salt:

simon@diablo:~$ htpasswd -m -b -c htpasswd simon abcd
Adding password for user simon
simon@diablo:~$ cat htpasswd
simon:$apr1$mfvnBVmG$iIHIHOaH9vcImG5G.8eVa/

Here, the salt is the 8 characters between the second and third $.

htpasswd -s stores a SHA-1 digest with no salt; this appears to be for compatibility with Netscape/LDIF:

simon@diablo:~$ htpasswd -s -b -c htpasswd simon abcd
Adding password for user simon
simon@diablo:~$ htpasswd -s -b htpasswd simon2 abcd
Adding password for user simon2
simon@diablo:~$ cat htpasswd 
simon:{SHA}gf6L/odXbD7LIkJvjleEc4KRes8=
simon2:{SHA}gf6L/odXbD7LIkJvjleEc4KRes8=

These can easily be reversed - convert into a hex digest:

>>> "".join("%02x" % ord(c)
...      for c in "gf6L/odXbD7LIkJvjleEc4KRes8=".decode("base64"))
'81fe8bfe87576c3ecb22426f8e57847382917acf'

then use an online hash database.

like image 72
SimonJ Avatar answered Dec 24 '22 11:12

SimonJ
Sign in to Comment

Related questions

Why set a password using Jasypt when encrypting text?
best practices to compress/encrypt
openssl initialize RSA public key
How can I do this same encrypt/decrypt PHP function on iOS with Objective-C?
Encryption with MachineKey is not persistent
SVN + Veracrypt + Dropbox?
How to enable certain cipher-suites in WildFly?
AWS Auto Scaling Launch Configuration Encrypted EBS Cloud Formation Example
Decrypting CryptoStream into MemoryStream
Error while decrypting assertion sent from IDP
In AWS API Gateway, how to restrict HTTPS ciphers to those that provide Perfect Forward Secrecy?
What is the file size after encryption using AES/CBC/PKCS5Padding in java
Encrypt data from users in web applications
Knowing the plaintext, how to discover the encryption scheme used? [closed]
Deciphering Encoding: Packet Analysis Tools
Python RSA Decryption Using OpenSSL Generated Keys
How would you generate repeateable encryption key?
iPhone App Review and SHA1
How should I savely store encrypted user data on my server, and serve it only to the right user?
.net Cryptography - is there a way to tell that something has been decrypted wrong?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!