4

We have a directory we've protected using an .htaccess password. Both the username and password are long, complex, with various symbols.

I can log in from my machines (I've tried IE, Firefox, Chrome) without any difficulty. Some users however, can't log in, the login fails when they (attempt to) log in.

I've been searching the web for details of possible limitations on htaccess usernames/passwords, but not having much luck. I'd be especially interested in knowing if there are browser-version specific issues, that cause a given browser to choke on specific symbols or lengths.

I'm getting the impression from what I've found so far that crypt is used to encrypt the passwords, and some versions of crypt (presumably older?) can only handle lengths of 8 or 13?

Iain
  • 141
  • 1
  • 3
  • What sort of symbols are they? Are they all in the 0x00-0x7F range?? – Ether Jan 07 '10 at 17:45
  • Ah. Good question. I should have said that all the characters are in the 7-bit ASCII range (and all printable). That is, yes. :) – Iain Jan 07 '10 at 18:11
  • What version of IE did you try and what browser are the end users using? Plenty of problems where it works fine on your IE7/8 install, but the end user is still living it up with IE 5.5 or 6.0 – BuildTheRobots Jan 14 '10 at 22:24

1 Answers1

1

In my experience, when using Basic Auth only the first eight characters of the password matter. I.e. crypt truncates the password before doing its magic.

I think the limitations of Digest Auth are different, but I'd have to look them up to tell you.

That doesn't really help you with your problem though. Are these problem users able to log in if the usernames/passwords are typed by yourself, or if they're simplified to dictionary words? Might be related to a keymap difference.

fredden
  • 393
  • 1
  • 10
  • Odd. As far as I can remember, I was never notified of your answer. All the users were using the same username/password pair, that we had assigned. The character string for the password was a combination of letters, numbers, and one symbol. Once we learned that eight characters played a role, we truncated the password, but continued to have difficulty and finally discarded the approach as a solution. The "guy in charge" still wants something similiar, but I've not come up with a good idea yet. – Iain Aug 27 '10 at 15:01