The default Apache password is encoded by MD5 slightly modified by Apache.
Since MD5 is a hash, it cannot be decoded easily, so we just need to
encode the password sent by browser using the same method that Apache
uses, and compare the user and encoded passwords for authentication.
This is the example of user(admin) and password(testtest) created by
Apache’s htpasswd.exe (if Windows)
—
admin:$apr1$4K5…..$2rBEDtuuwjD.QtVycG/xn1
—
In this case, the key string is “$apr1$4K5…..” which is also called a salt.
So, if we accept the HTTP_AUTHORIZATION with admin:testtest (encoded by base64)
we need to MD5(“testtest”, “$apr1$4K5…..”) and then we get
$apr1$4K5…..$2rBEDtuuwjD.QtVycG/xn1 as the result.