does nginx auth_basic send the password plaintext?
auth_basic
works on the same connection opened when connecting to the server, so it's plain text on http
and SSL/TLS encrypted on https
. The only processing that takes place on the user/pass combination is a Base64
encoding before being sent to the server.
You can use curl
to see the headers:
$ curl -v -u your_user_name "http://......."
Look for the > Authorization: Basic ...
line which contains a Base64
encoding of user:pass
.
You can decode the string using:
printf auth_string | base64 --decode
More details here.
Regarding the password file, nginx
can use both clear text and hashed passwords in the password file (info here):
1. Plain text:
# comment name1:password1 name2:password2:comment name3:password3
2. Encrypted/hashed:
encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the
“openssl passwd” command;hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (anexample one, should not be used), SHA (1.3.13) (plain SHA-1hashing, should not be used) and SSHA (salted SHA-1 hashing, usedby some software packages, notably OpenLDAP and Dovecot).
$ htpasswd Usage: htpasswd [-cimBdpsDv] [-C cost] passwordfile username htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password htpasswd -n[imBdps] [-C cost] username htpasswd -nb[mBdps] [-C cost] username password -c Create a new file. -n Don't update file; display results on stdout. -b Use the password from the command line rather than prompting for it. -i Read password from stdin without verification (for script usage). -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). -D Delete the specified user. -v Verify password for the specified user.On other systems than Windows and NetWare the '-p' flag will probably not work.The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.