I've been comparing a tool called Coffee Cup Website Access Mangaer, which generates htpaswrd files and assists in multi user management, against cPanel's password protection functionality.
With the cPanel functionality, when accessing the directory I receive a browser warning "Warning this server is requesting your username and password be sent in an insecure manner..." because the passwords are sent in plain text and vunerable to pack sniffing.
But with credentials created with the coffee cup product I get no such warning. It is hashing the passwords, but presumably it's vulnerable in the same way as cPanel passwords.
#User Password File - 05/01/2012 15:14:56
username:$1$sa$Wo.g/ovtw8B//SAgNBbFP1
username:$1$sa$mSD/s4oNRerHapqlNkL321
I had always assumed cPanel was just creating htpaswrd files just like this program, and can find no information as to what the difference between the two might be.
Any thoughts appreciated as always.
As long as you use HTTP and not HTTPS, the password will be sent in plain text at some point. I don't know what authentication shceme does cPanel use, but maybe cPanel is defaulting to http while the other option isn't, which would explain the difference.