Notes about the password encryption formats generated and understood by Apache.
There are five formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:
crypt(3)
function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password. Insecure.$ htpasswd -nbB myName myPassword myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC
$ htpasswd -nbm myName myPassword myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
$ htpasswd -nbs myName myPassword myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
$ htpasswd -nbd myName myPassword myName:rqXexS6ZhobKA
OpenSSL knows the Apache-specific MD5 algorithm.
$ openssl passwd -apr1 myPassword $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
openssl passwd -crypt myPassword qQ5vTYO3c8dsU
The salt for a CRYPT password is the first two characters (converted to a binary value). To validate myPassword
against rqXexS6ZhobKA
$ openssl passwd -crypt -salt rq myPassword Warning: truncating password to 8 characters rqXexS6ZhobKA
Note that using myPasswo
instead of myPassword
will produce the same result because only the first 8 characters of CRYPT passwords are considered.
The salt for an MD5 password is between $apr1$
and the following $
(as a Base64-encoded binary value - max 8 chars). To validate myPassword
against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
$ openssl passwd -apr1 -salt r31..... myPassword $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords that are usable by Apache basic authentication.
To create Apache SHA1-variant basic-authentication passwords in various languages:
'{SHA}' . base64_encode(sha1($password, TRUE))
"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
require 'digest/sha1' require 'base64' '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
Use the APR function: apr_sha1_base64
import base64 import hashlib "{SHA}" + format(base64.b64encode(hashlib.sha1(password).digest()))
'{SHA}'||encode(digest(password,'sha1'),'base64')
Apache recognizes one format for digest-authentication passwords - the MD5 hash of the string user:realm:password
as a 32-character string of hexadecimal digits. realm
is the Authorization Realm argument to the AuthName
directive in httpd.conf.
Since the MD5 function is commonly available, other software can populate a database with encrypted passwords that are usable by Apache digest authentication.
To create Apache digest-authentication passwords in various languages:
md5($user . ':' . $realm . ':' .$password)
byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes()); java.math.BigInteger bi = new java.math.BigInteger(1, b); String s = bi.toString(16); while (s.length() < 32) s = "0" + s; // String s is the encrypted password
LCase(Hash( (user & ":" & realm & ":" & password) , "MD5"))
require 'digest/md5' Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
© 2017 The Apache Software Foundation
Licensed under the Apache License, Version 2.0.
https://httpd.apache.org/docs/2.4/en/misc/password_encryptions.html