{ "href": "/post/2005/04/14/htpasswd-and-crypt-in-solar-fixed/", "relId": "2005/04/14/htpasswd-and-crypt-in-solar-fixed", "title": "Htpasswd and crypt() in Solar -- fixed!", "author": "pmjones", "markup": "html", "tags": [ { "href": "/tag/php/", "relId": "php", "title": "PHP", "author": null, "created": null, "updated": [], "markup": "markdown" }, { "href": "/tag/solar/", "relId": "solar", "title": "Solar", "author": null, "created": null, "updated": [], "markup": "markdown" } ], "created": "2005-04-14 14:52:36 UTC", "updated": [ "2005-04-14 14:52:36 UTC" ], "html": "

(Well, sort of fixed.) This post originates from an issue I had with htpasswd files and crypt(); effectively, crypt() only looks at the first 8 characters in a password and validates if they match, regardless of the rest of the password. It turns out this is a known limitation of crypt(); it generated a fair amount of discussion on the pear-dev mailing list.

\n

So while Solar_User_Auth_Htpasswd will still reject passwords longer than 8 characters as a security measure against the default DES crypt() limitation, I have been able to add support for SHA1 and APR1-MD5 encrypted passwords in htpasswd files. This will allow you to use much longer passwords. The new code comes courtesy of two PEAR developers: from a tip by Tomas V. V. Cox for SHA1, and from Mike Wallner's excellent crypt_apr_md5() method in File_Passwd. Thanks, guys!

\n

(A side note: Apache htpasswd does not use a standard MD5 encryption routine, which is why just calling md5() from PHP was not a viable option.)

\n" }