Remove username/password restrictions on htaccess "Password Protection"
Currently when setting "Password Protection" on a staging server, the username field has a restriction of "Only lowercase alphanumeric characters are allowed", and the password field has a series of requirements for a strong password.
I am all for password strength in most cases, but in the case of htpasswd protection, I think people have a variety of use cases. For instance you may want to only provide reasonable protection on a staging server to keep search engines, and bots out, etc etc. And often times you share staging with a client.
It would be nice to be able to use whatever combination of user/pass is appropriate for your client needs.
-
Jake Grindstone commented
Yes this is so true.
The system doesn't appear to handle hash-like strings as passwords in the way I would expect. According to best practices in authentication, a system should be agnostic about the characters used in a password as long as they meet security requirements. Whether the password is a simple word or a string that resembles a hash (A{S}Da(!3)ASnaas%lda!/asd for example), the system should:
1. Hash and store the initial password.
2. Allow the user to authenticate later by entering the same original string.
It appears that the current implementation might not support this standard behavior, which could be seen as a limitation or oversight in the system's design. I recommend revisiting this aspect of your authentication process to ensure it aligns with industry standards for both security and user experience.This is poor development and security practices.