I tried this on a protected directory on a server running Apache 1.3.37. Assuming "password" is the password in this case and "L" represents any letter, the following allowed access:

passwor 
password 
passworL 
passwordL 
passwordLL 
passwordLLL 
passwordLLLL 
passwordLLLLL

etc. - I stopped at ten letters after the full password, but I suspect that you could go up to the 255 character limit.

A bug? Maybe. A security risk? Probably not, as you still need to know the password other than the final character. I guess it is down to how Apache handles the encrypted password from the .htpasswd file, or something to do with how MD5 hashes work in general (apache usually encrypts the password as MD5 according to the .htpassword manual page [httpd.apache.org]).

It is probably the system's crypt() routine being used. My understanding is that the traditional implementation uses a modified form of the DES algorithm in which the user's password is truncated to eight characters. Apache 1.3 might also use a version of MD5 modified for Apache but I'm guessing the user's password is still truncated to 8 characters prior to encryption (and again at authentication).

It's odd that 7-char 'passwor' worked then though ...?

No, you're quite right coopster - my actual password used for the test was nine characters long, not eight - so you explanation works perfectly in this instance. :)

Whew, I'm still sane then -- although that is arguable, I know ;)

I wondered the same thing here myself at one point back when I was using 1.3, mattx17. Why did my 8 character password truncation work when I specifically had a longer password assigned? To be honest, I have never tested with Apache 2.x. I'm assuming nothing has changed though as this is some very basic authentication, and not secure. Keeps the honest thieves out, as they say. Everything I need password protected now goes through my own authentication methods using the encrypted protocol.