.htpasswd / .htaccess is letting *almost* any password work

I set up .htaccess / .htpassword and It works, except when I type the password incorrectly it still logs me in.. If I use a completely different password, doesn't work. A different user name, it doesn't work开发者_如何学Python.

But if I use the proper user name and mostly the right password, it works?

Example:

password I'm using is "firefight", and "firefighter" seems to work. "Hose" won't.

Any clue?

From the htpasswd page:

When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

Only the first 8 characters are taken into consideration.