Apache .htpasswd Generator
Generate Apache .htpasswd entries with bcrypt, SHA1, or APR1-MD5 hash formats. Add multiple users and download the combined .htpasswd file.
What is an .htpasswd File?
An .htpasswd file is a flat-file user database used by Apache HTTP Server for HTTP Basic Authentication. Each line contains a username and a hashed password separated by a colon — for example admin:$2y$10$.... Apache reads this file when protecting a directory with AuthType Basic and AuthUserFile directives. This generator hashes passwords with your chosen algorithm entirely in the browser — nothing is sent to a server.
Which hash format should I choose?
bcrypt is the recommended format for new files — it's computationally expensive (making brute-force attacks slow), natively supported by Apache 2.4+, and generates a $2y$ or $2b$ prefix. APR1-MD5 ($apr1$) is the Apache-specific MD5 variant — widely supported but weaker than bcrypt. SHA1 ({SHA}) is portable but the weakest option; avoid it for new files.
Frequently Asked Questions
How do I use an .htpasswd file to protect a directory?
Create a .htaccess file in the directory you want to protect with these directives:AuthType Basic
AuthName "Restricted"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Store the .htpasswd file outside your document root to prevent it from being downloaded directly. Use an absolute path in AuthUserFile.
Is HTTP Basic Authentication secure?
Only over HTTPS. Basic Auth transmits credentials base64-encoded (not encrypted) in every request header — trivially decodable by anyone who can intercept the traffic. Always combine Basic Auth with TLS. It's suitable for low-risk areas like staging environments, admin dashboards with additional access controls, or internal tools. Do not use it as the sole security layer for sensitive production data.
What is the difference between APR1-MD5 and standard MD5?
APR1 ($apr1$) is Apache's custom MD5 scheme — it adds a random salt, runs 1,000 rounds of mixing with the password and salt interleaved in a specific pattern, and uses a custom base64 alphabet. Standard MD5 is a single-pass hash with no salt or iteration. APR1 is significantly harder to brute-force than plain MD5, but much weaker than bcrypt which uses thousands of iterations and is designed to resist GPU acceleration.
Can I use .htpasswd with Nginx?
Yes — Nginx supports HTTP Basic Auth via its ngx_http_auth_basic_module, which reads .htpasswd-format files. Add to your server block: auth_basic "Restricted"; auth_basic_user_file /path/to/.htpasswd;. Nginx supports bcrypt and APR1-MD5 formats. SHA1 is also supported. The file format is identical to Apache's.