Home/ Questions/Q 6754183
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T13:14:59+00:00

I found an interesting thing. I’ve setup Nginx for Base Auth with htpasswd file.

  • 0

I found an interesting thing. I’ve setup Nginx for Base Auth with htpasswd file. Everything works fine, but the passwords like <correct password><some random chars> gain access as well as <correct password>.

Is it OK? It is an Nginx-only issue, or is it related to the crypt method used in both Nginx and Apache?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I shared this with our servers administrator. And he’s found the answer:
    crypt algorithm hashes only first 8 characters, so if your password is lengthier than 8 chars it does not improve it’s falsification-resistance.
    If your password is 6-symbols length, let’s say

    passwd

    Basic auth will refuse password like passwd01

    If you use htpasswd utility and want your passwords to be lengthier than 8 symbols to improve it’s cryptography strength, you better encrypt them using md5 or sha algorithm (-m and -s modifiers respectively).

    So your proposition

    is it related to the crypt method used in both Nginx and Apache

    is correct

    Proof can be found at GNU.org libc 32.3 Encrypting Passwords:

    For the DES-based algorithm, the salt should consist of two characters from the alphabet ./0-9A-Za-z, and the result of crypt will be those two characters followed by 11 more from the same alphabet, 13 in total. Only the first 8 characters in the key are significant.

    • 0