: How secure is using .htpasswd to secure a directory? I'm basically creating something off of my main domain www.mywebsite.com/intranet. I've created .htpasswd protection for that intranet directory.
I'm basically creating something off of my main domain mywebsite.com/intranet. I've created .htpasswd protection for that intranet directory.
I can't implement individual user passwords yet and I want to use .htpasswd as an interim solution.
How secure is this method?
What steps should I take to make this more secure? What permissions for .htaccess and .htpasswd?
More posts by @Steve110
1 Comments
Sorted by latest first Latest Oldest Best
Here are the disadvantages of basic authentication according to WikiPedia:
Although the scheme is easily
implemented, it relies on the
assumption that the connection between
the client and server computers is
secure and can be trusted.
Specifically, if SSL/TLS is not used,
then the credentials are passed as
plaintext and could be intercepted.
Existing browsers retain
authentication information until the
tab or browser is closed or the user
clears the history. 1 HTTP does not
provide a method for a server to
direct clients to discard these cached
credentials. This means that there is
no effective way for a server to "log
out" the user without closing the
browser. This is a significant defect
that requires browser manufacturers to
support a 'logout' user interface
element or API available to
JavaScript, further extensions to
HTTP, or use of existing alternative
techniques such as retrieving the page
over SSL/TLS with an unguessable
string in the URL.
As the word "basic" in its name implies it offers very basic protection but not much more then that. If you're going to using it as a stop gap measure until you can get a custom authentication scheme in place then it's definitely better then nothing. But if your goal is "real" security then you should be implementing a custom authentication system ASAP.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.