htpasswd hashes different from one day to the next for same password.

StackOverflow https://stackoverflow.com/questions/20288427

  •  06-08-2022
  •  | 
  •  

Question

i have a script that runs the usernames and password through a htpassword invocation:

 /usr/local/apache2/bin/htpasswd -b $file $user $pass

and adds them to a file. 

bash-3.00$ grep caspers$nytest /prod/archive/2013Nov29/foo-users1
aacaspersrepo:$apr1$QSKSjpwI$Mrn8sWRki4Pb3kxYwayPF/
aacasperstreasview:$apr1$PHpwkF2N$YsAr7cnJtjABK7T8FbhgL.
casperstest:$apr1$lIuRZ1jW$DAHFKmIRHcPoS0kAzRcmB1
casperstest1:$apr1$1nyAfTJN$yAtF1ToIw5UCQxo7CJMcp0
casperstest2:$apr1$BZEcwVEV$dILld.zfxa4B6G0pKQFtg/
caspers$bank:$apr1$XWdLqwKb$O8st/xXcPOyEmApsHj4FS.
caspers$nytest:$apr1$N/GoMyoZ$5WGvyWVWGDgZPApuvGeb9/
casperscust$ny:$apr1$zCpRLoZG$zK8yc9IkKoR1BqGsHXFdK/
casperscust$nytest:$apr1$gLzFo3gk$YVZ9ALVhD/rHOhNUmJic80
bash-3.00$
bash-3.00$
bash-3.00$
bash-3.00$ grep caspers$nytest /prod/archive/2013Nov28/foo-users1
aacaspersrepo:$apr1$GahfhX78$eah4xp9ba.hQ1jb8NbPC.1
aacasperstreasview:$apr1$8aKZu1ku$Q8BKTSEdXFxkpQtXIhQO01
casperstest:$apr1$gmIdA8cX$FTe1hreH5/6gFLTFYA9zN.
casperstest1:$apr1$dtSjEVAZ$ya2S4gJ5ArKX7Z5kKDYnS.
casperstest2:$apr1$ZcKdZrTG$Ip0jxulsxR.KNJkDhi3rw1
caspers$bank:$apr1$BvCtx.n2$s/teof5StdXBFzc3wAe.d1
caspers$nytest:$apr1$GjOnubg1$KtselMH6H6nCyp7oiAbOJ/
casperscust$ny:$apr1$ieUhlGhA$zrHnSkdxbHlG7eK.3mmYO1
casperscust$nytest:$apr1$pAFgIv71$YMIjy8T7/6DQnJSdRYk361 
bash-3.00$

the diffs between the days are massive. the problem is that the password hashes change from one day to the next. you would figure that the hasnes would be the same unless the user changed them. that the algo that the htpasswd uses would pump out the same hash for the same password unitl the user changed it.

I don't see anything in the docs.

Is this expected behavior or is there something very wrong with my script?

Was it helpful?

Solution

This is expected behavior.

htpasswd uses a random salt every time a password is hashed. This is done, among other things, so that two users with the same password will not get the same hash and in order to avoid dictionary attacks against the password file.

You can find the documentation on apache httpd password formats here: http://httpd.apache.org/docs/current/misc/password_encryptions.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top