.htaccess Password Protection

On an apache web server the easiest method of simple password protection for a directory or even a single file is with the use of the '.htaccess' file.

To password protect an entire directory, in the folder that you wish to be protected create a file called '.htaccess'.

In the '.htaccess' file insert the following statements:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/path/to/file/.htpasswd"
require valid-user

Where "/path/to/file/.htpasswd" needs to be adjusted to reflect where you will keep your password file.

You will now need to modify the '.htaccess' file so that it applies the statements to a specific file. This is done by enclosing the statements in the following tags:

<Files>
</Files>

In this example, we will protect the file 'file.html'. This is done by modifying the .htaccess statement as follows:

<Files file.html>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/path/to/file/.htpasswd"
require valid-user
</Files>

Now we can create the password file, and add usernames and encrypted passwords. cd to the directory where you will keep the password file. (You can always move the file to its final location later, modifying paths according to where you set the AuthUserFile location in '.htaccess' file.) Note that your web directory is probably not your home directory on most commercial web hosts, although with most hosts you can use your hosting control panel to do the setup for you and configure where the files are placed automatically.

Using the shell command line, type the following command:

htpasswd -c .htpasswd username

Where username is the login name of the user you want to give access. The user name should be a single word without any intervening spaces. You will then be prompted to enter the password for that user. When this is done, the htpasswd utility creates a file called .htpasswd in the current directory.

If you have more than one user, create passwords for them as well, but using the following command for each subsequent user:

htpasswd .htpasswd another-username

Notice that this time, we did not use the "-c" option. When the "-c" option is not present, htpasswd will look for an existing file by the name given (.htpasswd in our case), and append the new user's password to that file. If you use "-c" for your second user, you will wipe out the first user's entry since htpasswd takes "-c" to mean create a new file, overwriting the existing file if present.

If you are curious about the contents of the file, you can take a look using the following command:

cat .htpasswd

Since the '.htpasswd' file is a plain text file, with a series of user name and encrypted password pairs, you might see something like the following:

billy:12kl254opJ7Y
jean:15f59N1ty5rG

This file has two users "billy" and "jean". The passwords you see will not be the same as the ones you typed, since they are now encrypted. Notice that it is username first, followed by the password. There is a handy-dandy online tool available for you to easily encrypt the password into the proper encoding for use in an '.htpasswd' file.

Before you quit, you should make sure that permissions on the file are acceptable. To check the permissions, simply type the following on the shell command line:

ls -al .htpasswd

You will see the file listing something like:

-rw-rw-rw- user group 129 .htpasswd

This means that the '.htpasswd' file can be read and written by everyone who has an account on the same server as you. The first "rw" means that the owner of the file (you) can read it and write to it. The next "rw" means everyone in the same group as you can read and write the file. The third "rw" means that everyone with an account on that machine can read and write the file.

You don't want anyone else to be able to write to the file except you, since they can then add themselves as a user with a password of their own choosing or other malicious intent. To remove the write permission from everyone except you, do this from the shell command line:

chmod 644 .htpasswd

This allows the file to be read and written by you, and only read by others. Depending on how your server is set up, it is probably too risky to change the permissions to prevent others from your group or the world from reading it, since if you do so, the Apache web server will probably not be able to read it either. In any case, the passwords are encrypted, so anyone who sees the file will hopefully not be able to decrypt the passwords.

If you have set a different directory for your password file in your '.htaccess' file earlier, you will need to move it there. You can do this from the shell command line as follows:

mv .htpasswd new/location/of/the/.htpasswd

Remember that your file does not even have to be called '.htpasswd'. You can name it anything you like. However, if you do, make sure that your AuthUserFile directive has the same directory and filename or Apache will not be able to locate it.

Testing Your Setup

Once you have completed the above, you should test your set up using your browser to make sure that everything works as intended. Upload a simple index.html file into your protected directory and use your web browser to view it. You should be greeted with a prompt for your user name and password. If you have set everything up correctly, when you enter that information, you should be able to view the index.html file, and indeed any other file in that directory.

Don't live with the illusion that password protecting directories or files with '.htaccess' can safeguard your data. Always remember:

1. The password protection only guards access through the web. You can still freely access your directories from your shell account. So can others on that server, depending on how the permissions are set up in the directories.

2. It protects directories and not files themselves. Once a user is authenticated for that folder, he/she can view any file in that directory and its descendants.

3. Passwords and user names are transmitted in the clear by the browser, and so are vulnerable to being intercepted by others.

4. You should not use this method of password protection for anything serious, such as customer data, credit card information or any other sensitive information. It is basically only good for things like keeping out search engine bots and casual visitors. Remember, your data in the directory is not encrypted any any manner using this method.