How secure is htpasswd when protecting a directory?

Well as long as you don't put the .htpassword file in a web accessible directory then it is fine.

I've read in a couple of other sources the recommendation
to put the .htpasswd file someplace other than in my web
directory. So I tried putting it in the home directory of my
shell account, made sure that the .htpasswd file was rw-r--r--
and that my home directory was rwxr-xr-x,
but then I whenever I try to access a page controlled by
the .htaccess file that refers to this .htpasswd file,
I get a string of three requests for username and password,
followed by an Authorization Required page.
It's not my personal machine, it belongs to the ISP, so I don't
have the option of putting .htpasswd in /, which is where most
sources suggest putting it. Any ideas?

The ideal place to put it is one directory above your root directory. Typically your root directory will be named either public_html or www.

Your .htaccess file should only be in the directory that you wish to protect. If you put it in your root directory then it will protect your entire site if you put it in a sub directory it will protect that sub directory and any sub directories within it.


Have you read through this tutorial?

http://www.javascriptkit.com/howto/htaccess.shtml

it is written by one of our moderators (Feyd) on how to work with this.

Originally posted by Spookster
The ideal place to put it is one directory above your root directory. Typically your root directory will be named either public_html or www.

Yes, that seems to be what most folks recommend.
However, if I try to create a file there, I get "Permission Denied".
Does not surprise me -- If I could write in the directory that is
the parent of my WWW directory, I could delete the directories
of other users.


Your .htaccess file should only be in the directory that you wish to protect. If you put it in your root directory then it will protect your entire site if you put it in a sub directory it will protect that sub directory and any sub directories within it.


Right. I am specifically trying to put a different .htaccess file
in each subdirectory of my WWW directory, but have them all
use the same AuthUserFile


Have you read through this tutorial?
http://www.javascriptkit.com/howto/htaccess.shtml
it is written by one of our moderators (Feyd) on how to work with this. [/B]

Yes, it is excellent. That was one of of the "sources" to which I referred.

Dunno about other ISP's, but mine has the WWW tree on one
filesystem and the tree for shell accounts on a different filesystem.
In each case, the directory containing the subdirectories for all the
users is itself owned by 'root' or whatever, and write-locked
against all others. Seems reasonable to me, but it makes it
hard to follow the recommenation about the .htpasswd file.

Thanks.

I had problems with this, in the end I put the .htpasswd in the directory previous to www otherwise it wouldn't work.