How secure is .htaccess?

[ponyfool]

Is it secure enough to have a list of username and passwords for specific web sites, etc?

 

[slapnpop]

I wouldn't put any passwords in a .htaccess file. If someone does gain access to the file through some loophole, you've just granted them full access to whatever if it's associated with the correct URL.

My $0.02, don't spend it all in one place.

 

[ponyfool]

I wouldn't put any passwords in a .htaccess file. If someone does gain access to the file through some loophole, you've just granted them full access to whatever if it's associated with the correct URL.
My $0.02, don't spend it all in one place.

OK, if I wanted to put passwords on a server so my wife and I can access them from any computer, what would I use?

 

[Jazzzzz]

.htaccess files are only as secure as your web server's file system, your Apache setup, and your diligence in creating the .htaccess file properly. If you screw up setting read permissions to the .htaccess file, the associated .htpasswd file, or the directory they live in, either through the server's file system or in the .htaccess file itself, anyone with half a clue can snag your password list just by browsing the directory.

It should be fine for protecting a page that does not contain any information that is not already available to the public. I can't tell you if it'll serve your needs without more explanation on what you're using it for.

Here's a quick little tutorial that explains most of the basics:

https://www.javascriptkit.com/howto/htaccess.shtml

whoops, you got your reply in while I was typing. Don't ever put your important passwords in a file available on any web server. If you need to keep passwords to web sites like online banking, etc. around where you can get to them without remembering them, use something like KeePass that will maintain an encrypted list of your passwords on a USB memory key that you can carry around.

 

[ponyfool]

If the password file was not web accessible (above web access on the server) and the entire directory that has the .htaccess file was password protected, would that be somewhat secure? I'm not talking about bank passwords really, mostly forum usernames and passwords, school resources for my wife, etc. Although some would be more personal than others.

 

[ShinyPartsUp]

.htaccess files are only as secure as your web server's file system, your Apache setup, and your diligence in creating the .htaccess file properly. If you screw up setting read permissions to the .htaccess file, the associated .htpasswd file, or the directory they live in, either through the server's file system or in the .htaccess file itself, anyone with half a clue can snag your password list just by browsing the directory.
It should be fine for protecting a page that does not contain any information that is not already available to the public. I can't tell you if it'll serve your needs without more explanation on what you're using it for.

Here's a quick little tutorial that explains most of the basics:

https://www.javascriptkit.com/howto/htaccess.shtml

whoops, you got your reply in while I was typing. Don't ever put your important passwords in a file available on any web server. If you need to keep passwords to web sites like online banking, etc. around where you can get to them without remembering them, use something like KeePass that will maintain an encrypted list of your passwords on a USB memory key that you can carry around.

Thanks for the link to KeepPass -- I'm now using it on a memory stick and combined it with a password for the stick as well.

 

[Calimus]

Pony, even for something simple like forum passwords, putting them in a file on the web is asking for trouble. Use the keePass method and keep a memory stick on you. I do at al times, though I don't keep passwords in txt format anywhere as a general rule (still young enough to keep them memorized though I know my time will come) if you are going do do such, keel them encrypted and keep them on your person. Never use the net for storing anything password related. I liken it to playing russian roulette.