Jump to content

Security Of .htaccess Files


Recommended Posts

I run a site hosted here by TCH for my school and I've just learned that one of my students has hacked the passwords for my .htaccess protected directories. Word is that he used a hacking program called "John XXX XXXXXX" [i won't spell out the entire name just to be safe] to get to my passwords.

 

Can anyone say if this is indeed possible? If yes, what in the world can I do to securely protect access to these directories if any teenager with a freely downloadable hacker application can access my passwords?

 

I really need some advice here and fast. Please help!

 

Thanks in advance.

Link to post
Share on other sites

I haven't heard of that, but then again, that's not to say that it's not possible. Hopefully some of our more "security-wise" family members will chime in here.

Link to post
Share on other sites
Guest Serpentine

Is it possible, sure. But those programs are best at getting weak or waker passwords. I would get AnyPassword and change all of your passwords. This program generates and stores your passwords so you do not have to remember them. I have mine set to at least 24 characters for my passwords using upper and lower-case, numbers and symbols. It takes quite a bit to get to that kind of password.

 

I would wait and see what some of the more security minded folks here have to say.

Edited by Serpentine
Link to post
Share on other sites

Serpentine,

 

Thanks for the reply. I checked on this program and it used to crack "weak" passwords on Unix systems. I wonder if "weak" simply means short passwords that don't make use of upper and lower case characters along with numerals and symbols. If making my password "strong" doesn't require some sort of special encoding or hashing, then big complicated password here we come. Could it be that simple?

 

As you suggest, I would still like to hear from some serious security gurus.

Link to post
Share on other sites

A weak password would be:

less than 8 characters

consist of only lower case letters

a common dictionary word

 

I know what program you are referring to, it uses a word list and requires access to the file/files storing the passwords. So the only way that someone could have done this is if they were able to access your files.

Link to post
Share on other sites

Everyone pretty much covered the bases already, but I'll reemphasize the biggest point and that is not to allow *anyone* to gain access to the password file. Once someone has access to or a copy of the hashed passwords, it's relatively simple to crack the easier ones. All it takes is cpu time.

Link to post
Share on other sites

I was just going to say what Mike already said. If he used that John-etc (it's probably the best known password cracker, btw :P) it means he had access to the password files. All you have to do is remove him the possibility of accessing the password files and I'm pretty sure he won't be able to get into your site again.

 

If he does, then you're probably dealing with someone who has a bit more knowledge than usual nad that will require some other measures. But I wouldn't expect that :dance:

Link to post
Share on other sites
All you have to do is remove him the possibility of accessing the password files and I'm pretty sure he won't be able to get into your site again.

 

Thanks everyone for the advice. I will definitely go for a STRONG password. However, I'm not sure how to restrict access to the password file. I believe the .htaccess file is in the root directory and that the passwords are actually outside the root directory -- perhaps someone at TCH can clarify this point. These files are generated and placed by the CPANEL interface, so I'm not sure what I can do to secure these files.

Link to post
Share on other sites

Note that if you are using 'Basic' authentication, your username and password are passed from the client to the server in plain text across the network. Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across. Using the 'Digest' authentication type solves this problem, but is more difficult to implement and is not supported by all browsers. Read more about it in the Apache documentation: http://httpd.apache.org/docs/howto/auth.html.

Link to post
Share on other sites
Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across.

 

So, that would be an alternate way to discover the password without using a cracking tool such as John XX. But in this instance, it appears that the cracking tool was use and not a packet sniffer. That leaves me with the big question of how did this student gain access to the password files? Wouldn't he need access to my hosting account to also have access to the password files?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...