So Jericho poses the question of whether or not apache password files can have comments or not. On Wed, 28 Dec 2005, security curmudgeon wrote: ": " find out if the apache password files can have comments or not =) So we Google. Plenty of searches for strings such as "apache .htaccess password comments", ".htaccess password comment allow", and "add comment apache password" didn't help much. Plenty of hits were found for adding comments to apache .htaccess and config files themselves, but what about the actual password files? After a little digging and playing around, we found the following: You *can* add comments to the password files, but: a. they have to be preceded by a # (per usual standard for most comments) b. you cannot append them to the end of a line in the password file (i.e. imaluser:E5$%NGJGD%%ETNT # this one is a luser c. they must exist on their own line: # following user anally injects heroin imfromindiana:FDJ$*TJHG38347573 From what we gathered, httpd services do NOT need to restarted after modifying the password files. Worst case scenario should be that the user gets denied access when the comments are misconfigured, not a full crash of the web services. -- Attrition staff