Have you seen this?
This is HTTP auth.
Let's setup a login/password section on your website.
Run this:
% htpasswd -c .htpasswd_test_basic testrealm testuser
Enter a password like 'testpass'.
The htpasswd utility will create a file like:
testuser:$apr1$.5ud0fec$13M3RblAqJpxQH2P7WjTH.
Create .htaccess:
AuthUserFile /home/i/web/.htpasswd_test_basic AuthName "Private Area" AuthType Basic <Limit GET POST> require valid-user </Limit>
Now try to access that page, and the web server will respond with:
HTTP/1.1 401 Unauthorized Date: Fri, 13 Jun 2025 09:07:54 GMT Server: Apache/2.4.52 (Ubuntu) WWW-Authenticate: Basic realm="Private Area" Content-Length: 457 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
A web browser, after entering (correct) testuser/testpass, would send to server:
GET /test2 HTTP/1.1 Host: conus.info User-Agent: Links (2.29; Linux 6.11.0-26-generic x86_64; GNU C 13.2; text) Accept: */* ... Connection: keep-alive Authorization: Basic dGVzdHVzZXI6dGVzdHBhc3M=
This is a very weak protection (if TLS is not used). That base64 obfuscation would stop only small kids. Because it's no better then passing password in plain text:
% echo dGVzdHVzZXI6dGVzdHBhc3M= | base64 -d | xxd -g1 00000000: 74 65 73 74 75 73 65 72 3a 74 65 73 74 70 61 73 testuser:testpas 00000010: 73 s
As of that string from htpasswd, it protected better. https://httpd.apache.org/docs/2.4/misc/password_encryptions.html Contains salt. But can be cracked with hashcat, if a password is small/simple enough:
% hashcat -m 1600 for-hashcat
(Tune it with -a option...)
Where the for-hashcat file is:
$apr1$.5ud0fec$13M3RblAqJpxQH2P7WjTH.
Also, openssl supports this encryption method:
% openssl passwd -apr1 -salt .5ud0fec testpass $apr1$.5ud0fec$13M3RblAqJpxQH2P7WjTH.