1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How secure are password protected directories?

Discussion in 'BlackHat Lounge' started by tonlilaz, Oct 2, 2008.

  1. tonlilaz

    tonlilaz Executive VIP Premium Member

    Joined:
    Feb 28, 2008
    Messages:
    1,558
    Likes Received:
    1,700
    Occupation:
    Deleting crappy threads on BHW, making good use of
    Location:
    Over There
    Home Page:
    I got a ? for you guys.

    I've got a private blog i keep for my own personal reasons.... i use it as an online journal of my projects, ideas, and private data.

    I've got this blog on a subdomain that i've password protected in my cpanel.

    Provided that i've got a good password, how hackable are password protected directories? I don't want search engines like yahoo/google accessing the account...and I don't want pple to see the blog. I know that when i access the blog, I get a popup requesting a username/password....so i think it's secure...

    but is there a way to bypass this and hack into the directory that i am unaware of? i kinda need to know cuz i've got sensitive information such as account numbers, usernames/passwords, and so on

    thanx!
     
  2. bhnoobz

    bhnoobz BANNED BANNED

    Joined:
    Jul 26, 2008
    Messages:
    395
    Likes Received:
    107
    lol

    how about not making it web accessible . That will cut down on 99% of your 'sercurity' concerns. Also, make sure whatever php scripts you run that are web accessible are updated and do not have a remote file inclusion vulnerabilities. If they do, disable or update them.. And don't store your goodies in a web accessible folder.. Oh yeah, I said that already.. :) If you really *need* remote access to it all the time, you could use PGPDisk or TrueCrypt to create an encrypted volume.. If the server is linsux based, you can use SSHFS to mount your user folder via ssh and then use truecrypt to mount the encrypted disk volume. That way if some little nugget gets a hold of your secret treasure chest, it will be useless to them.
     
  3. BozoClown

    BozoClown Junior Member

    Joined:
    Jan 4, 2009
    Messages:
    150
    Likes Received:
    106
    They are quite secure. But as a whole it all depends on the weakest link in the chain. If the password is stored in the database and it gets hacked, you may be out of luck.

    If it is .htpasswd mechanism and apache or the .htaccess file are misconfigured to reveal your .htpasswd file you are out of luck.

    In other words nothing is absolute. In your case, I looks like it is a .htpasswd protection and the chances of apache revealing the password file are slim, as it would be a major security issue.
     
    • Thanks Thanks x 1
  4. tonlilaz

    tonlilaz Executive VIP Premium Member

    Joined:
    Feb 28, 2008
    Messages:
    1,558
    Likes Received:
    1,700
    Occupation:
    Deleting crappy threads on BHW, making good use of
    Location:
    Over There
    Home Page:
    is there a possiblity that somebody can find the blog in the first place?

    say for example, i have a blog xx.blog.com and it's a public blog...

    but then i have a private.blog.com and the directory is password protected in the cpanel....is there a possiblity that somebody could find that directory in the first place?
     
  5. BozoClown

    BozoClown Junior Member

    Joined:
    Jan 4, 2009
    Messages:
    150
    Likes Received:
    106
    If you don't have any links to it, don't have an alexa or similar toolbar installed when you are accessing it and have given it an obscure name, then chances of somebody randomly finding it are very slim.
     
    • Thanks Thanks x 1
  6. foxler

    foxler Regular Member

    Joined:
    Mar 7, 2008
    Messages:
    279
    Likes Received:
    159
    If the xx.blog.com has a file inclusion vulnerability it would easily be able to be seen. I would especially be interested if the subfolder the domain is located on was called /private/ because I know there would be some yummy stuff in there. Not sure on the type of hosting account you have but since your asking these questions I'm assuming you have a shared hosting account. If you do, on those its sometimes even possible for someone that has a different shared hosting account on the same server to view the files of everyone being hosted on the server. Also depending on how well/big the hosting company is there's a chance they like to snoop around.

    Basically, if your trying to hide anything online (notes, entries, anything) I would suggest take it offline to a usbdrive that way no one online could get the info and you could take it on the go.

    If you are trying to just stop the search engines from finding the private blog then the .htpasswd should be good enough but I would suggest making the private blog have a password that needs to be submitted before anything could be read or opened for extra protection incase the .htpasswd goes down for any reson.
     
    • Thanks Thanks x 1
  7. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,123
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    1. if you're concerned about privacy... do *not* put the blog online.
    many hosting companies aren't very helpful when it comes to security,
    and some don't care at all. i once found a back door into a server, and
    after i told the owner about it he just shrugged it off and said (basically)
    that it wasn't his problem.


    2. if you're using wordpress, then rest assured that it will ping as soon
    as you install it. i put up a new wp blog and within 3 hours google had
    found it... and a day later yahoo found it.


    3. if you insist on putting it online, then simply change the file permissions
    to "000" when you're not updating/using it. this will make the folder
    impossible to access, even with the password. when you want to use it,
    just change the permissions back to "755" for that session.


    tsp