Security tip of the day: Use htdigest instead of htpasswd for phpMyAdmin and other sensitive stuff

11 May

I just realized that there was a better alternative to basic authentication for Apache 2.2. According to

“The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.”

So I read and and did the following:

htdigest -c apachePassword phpmyadmin myUser

Answered the questions asked by htdigest and checked that a new file named apachePassword was created. After that I edited my /etc/apache2/apache2.conf file and added these:

# htdigest authentication
<Location /phpmyadmin/>
          AuthType Digest
          AuthName "phpmyadmin"
          AuthDigestDomain /phpmyadmin/

          AuthDigestProvider file
          AuthUserFile /home/myUser/apachePassword
          Require valid-user

Then I enabled auth_digest by issuing the following command: a2enmod auth_digest. Finally I checked my Apache configuration file with the apache2ctl -t command and restarted the Apache web server. Then I visited and I was greeted with the Apache’s username / password dialog window before being able to see phpMyAdmin’s screen.


Posted by on May 11, 2010 in security, sysadmin


2 responses to “Security tip of the day: Use htdigest instead of htpasswd for phpMyAdmin and other sensitive stuff

  1. Andy

    July 12, 2010 at 23:17


  2. Gerard

    February 1, 2014 at 15:28

    Actually Digest Auth is not as secure as you might think. The password file on the server is vulnerable because it contains reversible encryption. If you seek more security Apache’s advice is to use Basic Auth instead combined with mod_ssl.

    For further reading:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: