Easily Password Protect a Website or Subdirectory
Working on a website that you need others to see, but not the whole world? Password protecting a website (or a sub directory within a website) is actually a pretty easy thing to do.
.htaccess file
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd
require valid-userThe exact path to the file is extremely important here. If you have it wrong, it will still ask for a password but nothing will seem to work. On Media Temple, my path looks like this:
/home/21410/domains/css-tricks.com/html/examples/PasswordProtected/.htpasswd
You should be able to to echo out a phpinfo(); on a page in that directory to scope this directory out.
.htpasswd file
css-tricks:csmBH6tTLNZBEThat is what the contents of the .htpasswd file should look like. One username and password per line, separated by a colon. Notice the password is encrypted though. You will need to use a special tool to encrypt your password in this way (MD5). David Walsh has a tool just for this.
In fact, I obviously first learned this from David as pretty much this exact same tip is on his site. Still, I think it’s worthy of re-posting because this is an extremely useful tool to have in your toolbox.
See it in action
Live example here. Login/Password is css-tricks/css-tricks
Loading ...
1
kinda of a newbie question, but will this work on any app server or just Apache?
Thanks…
Comment by mikemc — July 23, 2008 @ 5:57 am
2
Thanks for the reference!
Comment by David Walsh — July 23, 2008 @ 5:57 am
3
I assume you want to educate the average user and you started out well : commented illustrations that are extremely helpful. But then suddenly something went wrong - what to make of this :
I’ve absolutely no idea what you’re talking about !
Comment by Peter — July 23, 2008 @ 6:51 am
4
Peter - check out http://kb.iu.edu/data/abeq.html for more info. Some of it is specific to the university but it’s a decent primer.
Comment by Kyle Kinnaman — July 23, 2008 @ 6:54 am
5
Thanks for the nice & simple explanation. I know that a .htaccess file protects all subdirectories under its path, so this looks like a great method.
Do you know how safe the .htpasswd file is? If it is readable, and the MD5 encryption is reversable, wouldn’t that mean that it can be decrypted?
Thanks
Comment by Robert Augustin — July 23, 2008 @ 7:19 am
6
Thanks!
It gives us ideas for many possibilities
Thank you
Comment by Hazem — July 23, 2008 @ 7:32 am
7
This is an excellent resource, especially when making a beta site that isn’t ready to be revealed yet!
Comment by Shannon Snow — July 23, 2008 @ 7:43 am
8
To Robert Augustin: MD5 is a one-way cryptographic hash function. Therefore it is impossible to decrypt a hashed password to get its original value. The way this authentication method works (I assume) is that the user enters a password, which is hashed and compared to the stored password hash for that username. If the two match, then authentication is successful. This negates the need for storing plain-text or decryptable passwords. MD5 does have its problems, however, and it is possible to find a text string which generates the same hash value as a stored password. To prevent this, a ’salt’ value should be used when hashing..
Comment by Anton Eicher — July 23, 2008 @ 7:56 am
9
@ Kyle - thanks for your quick response & helpful link, it’s much appreciated !
I’ll make sure to read all with due care & attention, since I don’t want to drop some files in my site’s directory only to find that is has become completely inaccessible
Comment by Peter — July 23, 2008 @ 8:00 am
10
Anton,
Thank you. If I understand correctly, that would call for a hash generator that adds salt values before encrypting the string. I don’t know if the above mentioned one (by David Walsh) does that - but I know how this works now
Comment by Robert Augustin — July 23, 2008 @ 8:33 am
11
Newbie question: How do I save .htpasswd and .htaccess files? I am having trouble saving them from TextMate and when I rename them after I FTP them, they disappear. What am I doing wrong?Also, from 1 to 10, how safe is this? Could I protect real stuff behind this or is this more for beta websites and such?
Comment by Nate Maggio — July 23, 2008 @ 8:49 am
12
love this stuff any way you can write more info on this subject with asp in mind? Thanks love the site
Comment by that graphic guy — July 23, 2008 @ 9:15 am
13
@Nate: Some FTP clients don’t show you the .htaccess and .htpasswd files.
Comment by David Walsh — July 23, 2008 @ 9:22 am
14
In “Transmit” or “Coda” by Panic, there is literally a menu option for “Show Invisible Files”. In OS X, any file that begins with a period is “invisible” so you’ll need that turned on.
Comment by Chris Coyier — July 23, 2008 @ 9:34 am
15
I’ve found that some servers show me hidden files and others refuse to. Be aware of that.
Comment by David Walsh — July 23, 2008 @ 11:09 am
16
Good post. I was trying to find info on this about 6 months ago and had a hell of a time tracking down any good tutorials.
Comment by Tim Wright — July 23, 2008 @ 12:30 pm
17
Just to add: The Mac people can easily generate the encrypted passwords in Terminal with htpasswd which is included on every Mac:
htpasswd -nb username password
Comment by kremalicious — July 23, 2008 @ 3:05 pm
18
Overall a great tip.
And thanks to kremalicious for his Terminal Tip too. I will be using that one.
Like some others are asking, how safe is this? Can I use it for access to an admin area of a site that is out of beta and in use?
Comment by Morgan Daly — July 23, 2008 @ 5:09 pm
19
put the htpaswd file outside of your root folder so it isn’t web accessible like:
http://www.yourdomain.com/.htpasswd
Comment by Tim Wright — July 23, 2008 @ 5:56 pm
20
MD5 hashes can be cracked with the use of rainbow tables.
Does the password generator with Apache generate salted hashes ? I don’t think it does.
As someone else already commented, the password file really should be stored outside of the web accessable tree. And the .htaccess file should be configured (by default in recent Apache) to not be browsable.
Comment by John — July 24, 2008 @ 5:43 am
21
Great tip, as usual! Congratulations for this website, my favourite at the moment! I’m not an expert at all, so regarding John comment above, how can I store the file outside of the web accessable tree? And how can I configure .htaccess to not be browsable? Thank you in advance!
Comment by JohnDBB — July 24, 2008 @ 7:00 am
22
How do I save the .htaccess file in Windows? I get an error saying, file name required.
Comment by mike — July 26, 2008 @ 10:54 am
23
Nice little htaccess tut. You should do a post about making a php login area to secure directories. Even better, each ‘persons’ login would have access to only a certain directory(s).
Comment by Kyle — July 26, 2008 @ 1:32 pm
24
Very useful, and thanks kremalicious for the mac terminal code.
Comment by Zander Martineau — July 28, 2008 @ 7:03 am
25
This is a great tip!
For anyone hosting on GoDaddy, the easiest way to do this is through your account manager. I tried doing it manually for quite a while after reading this tutorial, and I couldn’t get it to work properly. I finally found this article explaining another way to do it (and maybe the only way on GoDaddy) - http://help.godaddy.com/article/4057#protect
Comment by 20minutes — July 28, 2008 @ 11:38 am
26
Have you ever seen where a browser will require the authentication multiple times before going through? I set up a password protected directory a while back through my host’s admin panel. I have access to the .htaccess file, but from what I can tell, not the .htpasswd. Everything in the .htaccess seems to be the same as you’ve outlined above, except the last line: it reads
require user myusernamehereinstead of:require valid-userI assume the encrypted password is the only thing in the .htpasswd file. In any case, do you think this could be a browser issue, or something in the way the host sets it up? I’ve tried to replicate the issue on other computers, but it never seems to be consistent.I suppose I could scrap the “admin panel way” and create my own files as this post suggests….
Comment by Maria — July 28, 2008 @ 1:03 pm
27
A few points I’d like to add:
The hash algorithm used in the example .htpasswd in the article doesn’t look like MD5 at all, looks more like crypt() which is the default (except in Windows).
MD5 is not encryption, it’s a one way hash/digest algorithm. Despite the name, crypt() is not an encryption either.
Putting .htpasswd in the same directory as .htaccess, increases the chance of exposing the user and password hashes publicly. It’s probably wiser to put it outside of Apache’s DocumentRoot completely. Recent installations of Apache httpd probably has a rule that blocks direct access to .htaccess and .htpasswd files by default, but it’s not always the case.
Comment by Ronny — August 12, 2008 @ 1:30 am