What is Basic Authentication? Thorough explanation of mechanism, setting method, and security risks
Security

What is Basic Authentication? Thorough explanation of mechanism, setting method, and security risks

"Basic Authentication" puts a simple lock on a website. It is frequently used in development environments and internal-only pages, but actually there are security risks... We explain correct setting method, how to write .htaccess, and points to note for beginners.

That screen where you enter "Username and Password"

Have you ever had a popup appear from the top of your browser asking for "Username" and "Password" the moment you accessed a website? That is Basic Authentication.

It is a very old technology, but because it is easy to set up and can be used on any server, it is still frequently used in Web production sites.

htpasswd GeneratorGenerate .htpasswd files for secure Apache Basic Authentication.

3 Scenes where Basic Authentication is used

Basic Authentication is not suitable for high-function authentication like "Member Site", but it is useful in the following situations.

1. Test site before release

When restricting access so that only related parties (clients and production companies) can optimize during website renewal or new construction. This is the most common use.

2. Simple tool for internal use only

Cases where strict user management (who logged in when, etc.) is not required, such as management screens used only by internal personnel or pages of business manuals.

3. Protection of specific directory

When putting a "double lock" on specific important pages such as WordPress management screen (/wp-admin/).


Mechanism: Teach "Password" to Server

Basic Authentication uses the function of Web server (Apache, Nginx, etc.). By placing two setting files in a specific folder (directory), you instruct the server "Password is required to see contents of this folder".

2 Required Files

  1. .htaccess (Dot H Access)

    • File to write settings such as "Enable authentication", "Where is the password file".
    • Place in the directory where you want to restrict access.
  2. .htpasswd (Dot H Password)

    • File where "Username" and "Encrypted Password" are written.
    • It is usually safe to place it outside the Web public area (place cannot be accessed directly from browser).

Setting Procedure: Let's do it manually

STEP 1: Create .htpasswd (Password File)

Describe user information in this file in the following format.

Username:Encrypted Password

The important point here is that you must not write the password as is. Even if you write admin:password123, it will not work. It must be hashed (encrypted).

Example: admin:$apr1$ToGq...

To create this "encrypted string", use dedicated commands or generation tools. With Jenee's tool, you can create it instantly.

htpasswd GeneratorGenerate .htpasswd files for secure Apache Basic Authentication.

STEP 2: Create .htaccess (Configuration File)

Next, create a .htaccess file with the following code.

AuthType BasicAuthName "Input ID and Password"AuthUserFile /home/mysite/www/.htpasswdRequire valid-user
  • AuthType: Declaration to use Basic Authentication.
  • AuthName: Message displayed on input screen (may not be displayed depending on browser).
  • AuthUserFile: Specify full path on server of .htpasswd file created earlier. This is the biggest mistake point!
  • Require valid-user: Setting to allow access only to users who succeeded in authentication.

Common Troubles and Solutions

Q. "500 Internal Server Error" appears

A. The following causes are considered.

  • Full path is wrong: Path of AuthUserFile is wrong. Check accurate full path using server management screen, FTP software, or PHP's echo __DIR__;.
  • Typo: Full-width space is entered, spelling mistake, etc.

Q. Password does not pass (Screen appears many times)

A. There is a possibility that password of .htpasswd is not encrypted correctly. Try recreating it correctly using generation tool. Also, password cannot contain ": (colon)".


Serious Security Notes

Basic authentication is a "simple" key. Overconfidence is prohibited.

1. Eavesdropping risk on communication path

Basic authentication sends user name and password in a format called "Base64 encoding". Unlike encryption, this can be easily returned to original characters. If used on a site that is not SSL (https) (http), password will flow on the net in a state where it is completely visible. be sure to use in HTTPS environment.

2. No logout function

Once logged in, authentication state is maintained until browser is completely closed. "Logout button" cannot be installed.

3. Weak against brute force attacks

Since function such as count limit (lockout) is not attached by default, there is a possibility that it will be broken through by brute force if time is taken.


Summary

Basic authentication is old technology, but because of its simplicity, it is still powerful weapon. When you think "I want to hide here a little", you can lock quickly with only setting file without writing program. Knowing this ease will definitely be useful in Web production sites.

If you use Jenee's tool, troublesome hashing and syntax creation are completed by copy and paste. Please bookmark and use it.

htpasswd GeneratorGenerate .htpasswd files for secure Apache Basic Authentication.

Related Articles