Was I the last to know? mod_auth basic, crypt() and the first 8 chars

I did not know this until just last week. Seems everyone I've mentioned it to already did, so I thought I'd better prove my noobness in bulk to you all now by writing about it.

It seems when you crypt a password with htpasswd and use (at least) basic mod_auth in Apache, the crypt only takes the first 8 characters of your password for use in authenticating a user.

In other words, if you set a password of 'password' but type into the auth dialogue in your browser, 'passwordhellotodayisSunday!', you will still get authenticated.

Not that big a deal, but in case you have two separate users that share the same first 8 chars of a password (say, a company name!), and somehow their authentication provides them with different results depending on their role, you might get a surprise.

Then again, why would use use a company name or anything else common in a password between multiple users. Right? :)

Tags: