.htpasswd credentials

ID

htpasswd

Severity

low

Vendor

Apache

Family

Password

Description

.htpasswd files were used for basic authentication in HTTP servers, in the form of username:password records.

Security

The password itself is hashed (with different hash algorithms, ranging from the insecure crypt() Unix function or MD5 hash, to the more cryptographically robust bcrypt algorithm).

If an .htpasswd file is leaked, the password cannot be used directly by attackers, but it can be used for dictionary or even brute-force attacks. The password hashing done is not robust enough for leaked .htpasswd credentials to be considered protected secrets.

Examples

# Sample .htpasswd file
bob123:$apr1$FaPCZHMe$jYiw5.9UevKx25pBH4AsT/
nancy456:$apr1$mrCHcVhc$oNdJeRcWKPk2z8dlzQI0x/

Mitigation / Fix

  1. Remove the .htpasswd file from the source code.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system (perhaps by regenerating the credentials).

  3. Check access logs to ensure that the secret was not used by unintended actors during the compromised period.

Reference

https://httpd.apache.org/docs/2.4/programs/htpasswd.html