Password Protection Security Tip

[noam]

I thought I would share a security tip when selecting the 'Password Protection' cpanel feature.

Although there is no indication of this on the site, passwords created through the 'Password Protection' feature is actually limited to eight (8) characters. Anything after eight (8) characters will just be ignored! This is not a flaw of cpanel but a limitation of .htaccess files.

You can test this out yourself:

1. Use the 'Password Protection' feature to protect a directory using the password: 12345ABCDEF

2. Now browse to that directory and use the password:
12345ABC
And it will work!

3. Now also try the same thing again using the password:
12345ABCXXXXXX
And it will work!

So when selecting passwords, remember only the first eight (8) characters count! (Your 'Superman830382' password might not be that secure against brute force dictionary attacks after all!)

Hope you enjoyed this tip.

[jason]

Actually, this is a limitation of the original Unix crypt (DES) encryption scheme. I'm not sure if it will work with HTTP Authentication, but it is possible to make crypt work with other algorithms. I've done this successfully with HTML forms based login systems using MD5 encryption. You won't be able to update your htpasswd files in CP using MD5, you'll have to write a PHP script or some other program to do it.

Here's an example of how to MD5 encrypt a password using PHP:

PHP Code:

$encrypt = crypt($password, uniqid('$1$')); 


The $1$ prefix of the string returned by uniqid() tells crypt that you want to use MD5. It will be followed by a 13 (I believe) character string of randomness that crypt will use as a salt. MD5 requires a 12 character salt, the extra character will be ignored.

If you are using HTTP Authentication, you can write $encrypt to your htpasswd file. If you are using forms-based authentication, use this algorithm to test that a user's password is correct:

PHP Code:

if(crypt($userpasswd, $storedpasswd) == $storedpasswd) {
    //success
}
else {
   //failure
} 


The stored password will begin with $1$ and the salt used to encrypt it. Since crypt ignores anything beyond what it needs, the password portion of $storedpasswd will be ignored and the crypt function will return an encrypted string of the entered password using the salt of the original. If the two passwords are the same, the encrypted values will be the same and the if expression will return true.

Using MD5-based encryption has two advantages. First, the password lenght is longer (I'm not sure how many characters are allowed, but its longer than most passwords tent to be). Second, MD5 encryption is tighter than DES encryption, making it (in theory) harder for someone to figure out individual passwords if they grab your htpasswd file somehow. Both of these obviously help secure your site.

The beauty of this process is that it is completely backwards compatible with the older DES passwords. So, if you implement MD5 encryption, all of your old passwords will continue to work. When you do, you should probably encourage your users to change their passwords in order to upgrame everyone to MD5, but from a functionality standpoint it wouldn't be necessary.

As I said before, I haven't used this with HTTP Authentication (CP's Password Protected Directories), so I don't know if it will work, but I suspect it will. If anyone tries this, please let me know how it goes.