Important: This method of password protecting folders does not provide protection for highly secure information. It is mainly to keep more casual users from accessing a page through a Web browser. See the limitations to this method of authentication for details.

On this page:

• Part 1: Create a password file and put it on the server
• Part 2: Create an .htaccess file in the folder you would like restricted
• Part 3: Test the set up
• Limitations to this method of authentication

Part 1: Create a password file and put it on the server

To create a password file and put it on the server:

1. Windows - Open Notepad: Click Start, point to Programs, point to Accessories, then click Notepad.
   Macintosh - Open Text Edit: Double-click your Macintosh HD icon, then double-click the Applications folder, then double-click the TextEdit icon.
   
   
2. Open a new blank file and name it: htpasswd
   
   
3. Set up one or more username/password combinations using the following site that can generate encrypted UNIX passwords:
   •  http://spectrum.troy.edu/password/
     
     
4. From the form, copy and paste the username/password combinations into your htpasswd file, noting the following:
   • Each username/password combination should be on its own line.
   • Put nothing else in this file.
     For example: joeuser:33dJ3Dq1oYPd2
     
     
5. Using FTP, upload the htpasswd file to your /usr/users/bcusername/ folder on the www2.bc.edu server.
   Important:
   • Be sure the FTP transfer mode is set to "ASCII" and not "binary".
   • Although this password is not easy to read, there are programs on the Internet that can break this password. Part of keeping your passwords secure is not letting anyone get access to this file. For that reason, we recommend that you not put them in the folder with the documents you are protecting, or even the root level of your Web site. We recommend that you put them in the folder whose name is your username: /usr/users/bcusername/
     Not in: /usr/users/bcusername/www/
     
     
6. Using FTP, change the name of the file on the server to .htpasswd with nothing before the period.

Part 2: Create an .htaccess file in the folder you would like restricted

To create an .htaccess file in the folder you would like restricted:

1. Windows - Open Notepad: Click Start, point to Programs, point to Accessories, then click Notepad.
   Macintosh - Open Text Edit: Double-click your Macintosh HD icon, then double-click the Applications folder, then double-click the TextEdit icon.
   
   
2. Open a new blank file and name it: htaccess
   
3. Copy and paste the following text into the file:
   
   AuthUserFile /usr/users/myusername/.htpasswd
   AuthName "YOUR SITE'S NAME"
   AuthType Basic
   
   < Limit GET>
   require user joeuser
   < /Limit>
   
   
4. Edit the line: AuthUserFile /usr/users/myusername/.htpasswd changing "myusername" to your BC username.
   
   
5. Edit the line: AuthName "YOUR SITE'S NAME"
   The words you put here show up in the authentication dialog box.
   • In Firefox, this line of text appears in the middle of the following phrase: Enter username and password for "YOUR SITE'S NAME" at www2.bc.edu.
     Note: You cannot change the surrounding phrase: "Enter username and password for...at www2.bc.edu."
     
     For example: AuthName"BC Help Center Restricted Page" appears as the following in Firefox (refer to Figure 1):
     
     
     Figure 1: Example of text that appears on login prompt in Firefox.
     
     
   • In Internet Explorer, this line of text appears with nothing around it.
     For example: AuthName"BC Help Center Restricted Page" appears as the following in Internet Explorer (refer to Figure 2):
     
     
     Figure 2: Example of text that appears on login prompt in Internet Explorer.
     
     
6. In the second to last line, change the word "joeuser" to the username you put in your password file.
   Important: Do not include the password in this file.
   
   For example, to change the username to "anotheruser" this last 3 lines would read:
   
   < Limit GET>
   require user anotheruser
   < /Limit>
   
   -OR-
   
   To allow any username/password combination in your password file to access the folder, enter the following for the last 3 lines:
   
   <Limit GET POST>
   require valid-user
   </Limit>
   
   
7. Using FTP, upload your edited htaccess file inside the folder you want restricted on the www2.bc.edu server.
   Important: Be sure the FTP transfer mode is set to "ASCII" and not "binary".
   
   
8. Using FTP, change the name of the file on the server to .htaccess with nothing before the period.

Part 3: Test the set up

To test the set up:

1. Open your Web browser and go to the page you have just protected.
   You should receive an authentication dialog box similar to Figure 1 and 2 above.
2. Enter an incorrect username and password to make sure it fails.
3. Enter the correct username with an incorrect password to make sure it fails.
4. Enter the correct username and password to make sure it works.

Limitations to this method of authentication

The following are limitations to this "basic" method of authentication:

• The password is not encrypted as it goes over the network, so it could be sniffed.
• The password and username remain in the browser until the user closes their Web browser completely. This means that shared computers or unattended computers are potential security risks.
• If the user tries to go to another www2.bc.edu site that has a different username and password, they will get an immediate "access denied" message. They will not even see the authentication dialog box. This is because with basic authentication, the username and password is stored in the browser and the system makes the assumption that for any given server a person has only one username and password. To get past this limitation the user must close all windows of the Web browser, quit the browser, and then launch a new browser session to go to the second location.
• The .htaccess restriction only limits access through a Web browser. Other BC students, faculty, and staff who have accounts on the www2 server may be able to retrieve your documents using FTP. Remember that www2 is primarily a public Web server, not designed for restricting confidential documents. For better handling of confidential documents, use  MyFiles@bc and  WebCT Web.