6

I need to restrict some webpages to certain users and I do this using a .htpasswd file through nginx.

The problem is I need to add other people's bcrypt password hashes to my .htpasswd file. Would it be possible for them to generate it using htpasswd on their own machine (could be windows, mac, linux), and then give me the resulting hash? I would add this hash to the .htpasswd file.

The other problem is I think bcrypt uses salts to generate the hashes. If they generate a bcrypt hash on their own computer with their own salt, wouldn't this be a problem since the server wont' have that salt value? Conversely, if bcrypt doesn't use salts but if I want to use salts, how would I solve this problem?

user1812844
  • 355
  • 1
  • 3
  • 6

1 Answers1

8

Normally the output (hash) when hashing a password with Bcrypt is not merely the hash: it is a text string which also encodes the salt and identifies the hash algorithm used.

From this stackoverflow answer:

$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa
  • 2a identifies the bcrypt algorithm version that was used.
  • 10 is the cost factor; 210 iterations of the key derivation function are used (which is not enough, by the way. I'd recommend a cost of 12 or more.)
  • vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa is the salt and the cipher text, concatenated and encoded in a modified Base-64. The first 22 characters decode to a 16-byte value for the salt. The remaining characters are cipher text to be compared for
    authentication.
  • $ are used as delimiters for the header section of the hash. This example is taken from the documentation for Coda Hale's ruby
    implementation.

htaccess allows for generating bcrypt with the -B switch (refer to the manpage here). So as long as everyone has htaccess installed or anything else which can generate valid bcrypt hashes, you should be alright.

Community
  • 1
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196