Submitted by mig5 on
I did not know this until just last week. Seems everyone I've mentioned it to already did, so I thought I'd better prove my noobness in bulk to you all now by writing about it.
It seems when you crypt a password with htpasswd and use (at least) basic mod_auth in Apache, the crypt only takes the first 8 characters of your password for use in authenticating a user.
In other words, if you set a password of 'password' but type into the auth dialogue in your browser, 'passwordhellotodayisSunday!', you will still get authenticated.
Not that big a deal, but in case you have two separate users that share the same first 8 chars of a password (say, a company name!), and somehow their authentication provides them with different results depending on their role, you might get a surprise.
Then again, why would use use a company name or anything else common in a password between multiple users. Right? :)