How secure is htaccess authentication

Question

I need to protect a clients CMS with a username and password, only one username is needed. I was going to use htaccess because its so quick to add.

I'll be adding it using the password directories feature in WHM which stores the passwords here: AuthUserFile "/home/username/.htpasswds/public_html/cms/passwd"

How secure is this? Are there ways to get into folders such as .htpasswds?

Answer 1

Straight from Apache's documentation

The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.

Please read the rest HERE

Please read the comments, things have changed since 2011. Good catch @reve_etrange

Answer 2

You should deny access to the folder that contains passwd files

<Directory /home/*>
    Order allow,deny
    Deny from all
    Satisfy all
</Directory>

also don't forget that http traffic can be captured, so it won't suit for financial transactions.

Answer 3

As long as you set up the proper restrictions in your httpd.conf file to block external requests for .htaccess, and .htpasswd you should be okay.

You can block external requests (in Apache) with the following directives:

# The following code hides .htaccess and .htpasswd files from sites visitors.

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>