Password Protecting a Directory
 

I want to password protect a directory. I can simply do this in the cpanel at my hosting company.

Assuming I use a good long password, how secure is this method?

should be fine as long as you aren't storing credit card numbers or personal data.

I've use that in some of our sites and it has worked without problems so far. Beaver Bob's advice is a good one, we don't store credit card numbers there, we have a separate database for that.

Pass Protect
 

If you have access to ssh you could run the following command htpasswd -c /PATH TO MEMBER DIRECTORY/.htpasswd USERNAME

Replace PATH TO MEMBER DIRECTORY with the path to your members directory and USERNAME with the username you want to use, once this is run you will be prompted to enter a pass, from their you can go ahead and enter the pass you want and then re-enter it.

If you have cpanel you can login, on your main cpanel page scroll down to the security tab. You will have an option that says password protect directories. Click on that and just follow the instructions. it is quite easy and fast through cpanel.

Thanks

The secure way for me would be to use my ssh description that will encypt with md5 encryption.

With a long password, IF the directory isn't an attractive target for attackers,
such as your member's area or certain admin areas. However, as maxprohost
mentioned, I'd also suggest using strong encryption rather than the default
1974 style. You can use this free online tool to do the strong encryption:

https://www.bettercgi.com/strongbox/admin_pass.html

Just copy and paste the output of that tool in your .htpasswd file which cpanel
will generate for you, replacing the line created by cpanel.

@maxprohost & Raymor

Thanks, that hit the nail on the head.

I probably should have also mentioned, for better security, such as on your
members' area, use Strongbox.

You need a script that tracks access and stops it. If you just use htaccess, then the hacker can just keep hitting it with a brute force until they find the right user/pass combo's. A script would block them after x attempts and make it tougher (not impossible).

This is a very good point. In fact, with Phantom Frog, we offer a Brute
Force Attack Protection feature. Too many 401 errors on an IP
address, will get the IP address blocked. If the ip address has been
associated with brute force, we remember/block the Ip address. It
doesn't matter whether there were 10K attempts or 5k attempts from
that Ip address ... it's IP address we block.

The other key to stopping the brute force attack is this: if the do get
a password Phantom Frog catches the abused password almost
immediately using High-Resolution Geo-IP tracking .... pretty soon the
hackers get frustrated and go somewhere else. Geo-IP tracks all
accesses to the members area down to the city level. We offer a free
trial of Geo-IP Pass Abuse Detection.

This is in addition to our Automated Member Support (AMS) feature
which provides 24/7 uninterrupted access to legit members and none to
hackers.

Thanks

George

It might be worth rephrasing what I said above since there are some
comments that may be unclear or misleading because the respondents
perhaps didn't pay close attention to your question. As you may know, we
sell the leading security system to protect you from brute force, but you do
NOT need to buy our product or any other, based on what you've said.
It sounds like your situation is one where you really don't need to worry
about brute force, probably, so don't let any scare tactics in sales pitches
you may come across confuse you. Although more sales for us would be
great, we do NOT want to sell you something you don't need.

That's based on your question in your initial post - "assuming I choose a
good long password ... ". That tells me that it's just you accessing it, we're
not talking about your members' area or another highly advertised URL.
In that case, and assuming you choose a password, or better pass phrase,
that is at least 10-12 characters long it will not be brute forced. Even with a
user name and password of only nine characers here's the math:

There are this many possible user names:
84,590,643,846,578,176
There are also this many possible passwords:
84,590,643,846,578,176

To successfully hack the site by brute force, the hacker
has to guess a valid combination of username and password.
To get the number of possible combinations he would have
to try, we multiply the number of usernames he has to try
by the number of passwords for each one:
7,155,577,026,378,634,231,908,944,079,486,976

That's a huge number, of course. How long would it take to brute force that?

113,450,929,515,135,626,457,207 years - time to brute force.
13,700,000,000 years - Age of the universe, since Big Bang.
65,000,000 years - time since dinosaurs


So if God had started trying to brute force your site at the same time that
he created the universe, His progress bar on his brute force software still
wouldn't have hit 1%. The above math assumed he tries one combination
per second. Even trying a hundred combinations per second, it'll still take
this many years:
1,134,509,295,151,356,264,572
That's still longer than the age of the universe, so unless you expect your
site to be a around a lot longer than the universe, you don't need any
software that's being promoted to protect that directory from brute force.
It would be a waste of money. It you WANT such protection, we can help
you, and Strongbox is quite affordable, but you don't need it in this case,
not for brute force protection.


Another type of attack related to brute force is a "dictionary attack". That's
where it's important that you said you'd choose a good password. If you
chose a crappy password, like "admin" or "password" you'd need to get
some protection, and really should also get a clue. But you specifically said
"if I choose a good long password", in which case you need not be worried
about a dictionary attack. One thought that helps to choose a good
password is to stop calling it a password and think "pass phrase" instead.
Something like "Living with quinns phone, Ray" isn't going to fall to dictionary
attack (or brute force). So you do not need to buy, or lease, any special
software if you choose a good long pass phrase. Our software, like others,
is useful mainly when you have members log in. Members don't choose
good long pass phrases.

Since it won't fall to brute force or dictionary attack, what's left is social
engineering (tricking you into telling someone) or cracking the password
file. No software will prevent you from telling your password, that's just
a matter of being careful. Because password files by default use encryption
from 1974, cracking the password file is a real possibility and that's how
many sites get hacked. Additionally, the default 1974 style encryption,
called "DES", actually uses only the first eight characters of your password,
so that good long password you chose it silently turned into a short weak one.
ONLY our system takes care of that encryption, which is the only real issue you have.
You don't need brute force protection software, you just need an encrpytion upgrade.



Only our

BE UNPREDICTABLE

Choose long and weird passwords with odd character combinations.

Change off the peg directory structures to custom ones when installing scripts.

Why use domain.com/members/ , when you can use, domain.com/themembersarea/ ?

@raymor
You really did a good job dissecting my question. You are correct in that I don't intend to make a members area. You are also correct in that I would not use a dictionary password, but something more like the first letter of all my friends and family put together with the several numbers that when said together "sound" like a whole word. I typically use passwords of 20 alphanumeric characters.

Thank you for the detailed explanation. I understand now why and where the encryption is needed.

@urb
I do need to get more creative with my directory structure. Once I get a feel for building adult sites in the kind of volume needed, I should be able to reduce the predictability factor.

@fandango & gmr324
I like the idea of a script the tracks and/or blocks ip, even if I know that they will never crack my password with brute force. I've had my host shut down at least one site because someone decided to attack it.

On a related note: What would be nice is if all commercial sites(not just adult) would just block all the ips of anonymous proxy sites. Probably would turn the economy around almost overnight.

Strongbox detect open proxies and handles them accordingly.