Comments on: .htaccess 101: how to password protect a directory http://www.dman.com/htaccess-101-how-to-password-protect-a-directory/ Search Engine Optimization, InfoSec and Ethical Hacking Tue, 08 Nov 2011 07:42:56 +0000 hourly 1 By: Jay http://www.dman.com/htaccess-101-how-to-password-protect-a-directory/#comment-3 Jay Wed, 23 Jun 2010 01:59:48 +0000 http://www.dman.com/?p=120#comment-3 Good advice; far too few small-shop webpages have proper access control in place, this is definitely a step (out of many) in the right direction. I cannot emphasize enough the significance of ensuring that the password file is stored <b>outside</b> of the web directory. Even if it only contains hashes, a well-equipped novice hacker could easily use a brute force tool such as <i>John</i> to enumerate the keys to your web server "castle". Additionally, ensure that access to these files is strictly locked down (<i>man chmod</i> may very well be your best friend), especially if the server resides within a shared environment. Good advice; far too few small-shop webpages have proper access control in place, this is definitely a step (out of many) in the right direction.

I cannot emphasize enough the significance of ensuring that the password file is stored outside of the web directory. Even if it only contains hashes, a well-equipped novice hacker could easily use a brute force tool such as John to enumerate the keys to your web server “castle”. Additionally, ensure that access to these files is strictly locked down (man chmod may very well be your best friend), especially if the server resides within a shared environment.

]]>