does nginx auth_basic send the password plaintext? does nginx auth_basic send the password plaintext? nginx nginx

does nginx auth_basic send the password plaintext?


security encryption nginx .htpasswd

auth_basic works on the same connection opened when connecting to the server, so it's plain text on http and SSL/TLS encrypted on https. The only processing that takes place on the user/pass combination is a Base64 encoding before being sent to the server.

You can use curl to see the headers:

$ curl -v -u your_user_name "http://......."

Look for the > Authorization: Basic ... line which contains a Base64 encoding of user:pass.

You can decode the string using:

printf auth_string | base64 --decode

More details here.

Regarding the password file, nginx can use both clear text and hashed passwords in the password file (info here):

1. Plain text:

    # comment    name1:password1    name2:password2:comment    name3:password3

2. Encrypted/hashed:

  • encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the
    “openssl passwd” command;

  • hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;

  • specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (anexample one, should not be used), SHA (1.3.13) (plain SHA-1hashing, should not be used) and SSHA (salted SHA-1 hashing, usedby some software packages, notably OpenLDAP and Dovecot).

$ htpasswd Usage:    htpasswd [-cimBdpsDv] [-C cost] passwordfile username    htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password    htpasswd -n[imBdps] [-C cost] username    htpasswd -nb[mBdps] [-C cost] username password -c  Create a new file. -n  Don't update file; display results on stdout. -b  Use the password from the command line rather than prompting for it. -i  Read password from stdin without verification (for script usage). -m  Force MD5 encryption of the password (default). -B  Force bcrypt encryption of the password (very secure). -C  Set the computing time used for the bcrypt algorithm     (higher is more secure but slower, default: 5, valid: 4 to 31). -d  Force CRYPT encryption of the password (8 chars max, insecure). -s  Force SHA encryption of the password (insecure). -p  Do not encrypt the password (plaintext, insecure). -D  Delete the specified user. -v  Verify password for the specified user.On other systems than Windows and NetWare the '-p' flag will probably not work.The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last