I found an interesting thing. I've setup Nginx for Base Auth with htpasswd file. Everything works fine, but the passwords like <correct password><some random chars> gain access as well as <correct password>.
Is it OK? It is an Nginx-only issue, or is it related to the crypt method used in both Nginx and Apache?
I shared this with our servers administrator. And he's found the answer:
crypt algorithm hashes only first 8 characters, so if your password is lengthier than 8 chars it does not improve it's falsification-resistance.
If your password is 6-symbols length, let's say
passwd
Basic auth will refuse password like passwd01
If you use htpasswd utility and want your passwords to be lengthier than 8 symbols to improve it's cryptography strength, you better encrypt them using md5 or sha algorithm (-m and -s modifiers respectively).
So your proposition
is it related to the crypt method used in both Nginx and Apache
is correct
Proof can be found at GNU.org libc 32.3 Encrypting Passwords:
For the DES-based algorithm, the salt should consist of two characters from the alphabet ./0-9A-Za-z, and the result of crypt will be those two characters followed by 11 more from the same alphabet, 13 in total. Only the first 8 characters in the key are significant.