Stupid Web Tricks: Learn how to implement Basic Authentication

Password-protect areas of your site with Basic Authentication. Find out how.

Click here for our complete list of Stupid Web Tricks.

Whether you're posting information about your favorite soccer team, Steve Jobs's home phone number, or just photos of neighborhood cats, it's often imperative that you protect some of your content by making it available only to a select group of individuals. The easiest way to enforce this kind of control is to require a password for certain parts of your site.

Most HTTP servers support something called Basic Authentication, a method of setting permissions for particular directories. You do not need network administrator privileges for the whole server to do this; if you can write to the directory, you can password-protect it. (If your site runs on Microsoft Internet Information Server on Windows NT you have a number of other password options. Check out Microsoft's site for more information.)

Step One
Say you want to create a directory called Secrets and allow in only those people with the username Bond and the password 007.

First, create a file to contain the username and password. Store this file on your server. (For security reasons, you should store it somewhere other than the root directory.) Most HTTP servers, including Apache and Netscape Enterprise Server, let you create this document with the htpasswd command. Type the following line from the Unix prompt:

htpasswd -c /directory/path/.htpasswd Bond

To use this code, replace /directory/path/ with the Unix path to the password-protected file's location on your own site. You will be prompted for the password for Bond; enter it twice. You can check that the .htpasswd file has been created at that location; it should contain something like:


Step Two
Next, create a file in the Secrets directory that sets the permissions. Call the file .htaccess and include the following text:

AuthUserFile / directory/path/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

require user Bond

Again, replace the /directory/path/ statement with your site's Unix path to the .htpasswd document. You can change the value for AuthName to whatever you want.

To make sure your password protection works, try accessing a file in the Secrets directory. You should be prompted for a name and password, and the Bond-007 combination should get you in.

You can also create multiple usernames and passwords, as well as groups. For more information on how to do this, or to troubleshoot the basic process described above, visit Apache Week or the NCSA site.

Warning! Although Basic Authentication is easy to implement, it is definitely not industrial-strength security. Basic Authentication sends passwords over the Internet as plain text—UUencoded, but not encrypted. A person watching the packets on the network wouldn't be able to tell which one contained the password, but if he or she caught the right one it would be easy to decode. For this reason, we discourage large banks and defense contractors from relying on this security method.

Editor's Picks