Htpasswd Generator
Generate .htpasswd password entries for Apache web server basic authentication. Supports SHA-1 hashing via the Web Crypto API.
How to Use .htpasswd Files
- Save the generated line to a file named
.htpasswdon your server (outside the web root for security). - Create or edit an
.htaccessfile in the directory you want to protect. - Add the following configuration:
AuthType Basic AuthName "Restricted Area" AuthUserFile /full/path/to/.htpasswd Require valid-user
- To add multiple users, place each
username:hashpair on a separate line in the .htpasswd file.
Note: For production environments, use bcrypt hashing via the command-line htpasswd tool. SHA-1 is suitable for basic setups but is not the strongest option available.
How to Use the Htpasswd Generator
- Enter a username -- This will be the login name for the protected area.
- Enter a password -- Choose a strong password. Use the show/hide toggle to verify.
- Select an algorithm -- SHA-1 is recommended for compatibility. Plaintext is for testing only.
- Generate -- Click the button to create the .htpasswd entry.
- Copy and deploy -- Copy the output and save it to your .htpasswd file on the server.
About .htpasswd Authentication
The .htpasswd file is used by the Apache HTTP Server for basic HTTP authentication. It stores username and password pairs, where passwords are hashed using algorithms like SHA-1, MD5 (apr1), or bcrypt. When a user accesses a protected directory, the browser prompts for credentials which are then verified against the .htpasswd file.
Basic authentication sends credentials encoded in Base64, which is not encrypted. Always use HTTPS alongside .htpasswd authentication to prevent credential interception. For maximum security, the .htpasswd file should be stored outside the web-accessible directory tree and use bcrypt hashing, which is available through the command-line htpasswd utility on most Linux servers.
Use Cases for .htpasswd Authentication
Apache basic authentication with .htpasswd files is a straightforward way to restrict access to web resources. Here are the most common scenarios.
Development and Staging Environments
Protect staging and development websites from public access while they are under construction. A simple .htpasswd setup prevents search engines from indexing unfinished content and keeps casual visitors out without requiring a full authentication system.
Admin Panels and Dashboards
Add an extra layer of authentication in front of admin panels, phpMyAdmin, or monitoring dashboards. Even if the application has its own login, .htpasswd provides defense-in-depth by requiring a second set of credentials before the application's login page is even accessible.
Private File Downloads
Protect directories containing private files, documentation, or media that should only be accessible to authorised users. This is common for client deliverables, internal documentation, and restricted content areas.
Shared Hosting Environments
On shared hosting where you may not have access to server configuration files, .htaccess with .htpasswd is often the only way to implement directory-level password protection. Most shared hosting control panels (cPanel, Plesk) provide GUI tools for managing .htpasswd, but generating entries manually gives you more control.
API Rate Limiting and Access Control
For simple internal APIs or webhooks, basic authentication via .htpasswd provides lightweight access control without implementing a full OAuth or token-based system. This is suitable for internal tooling and low-traffic endpoints where simplicity is valued over scalability.
Algorithm Comparison
Apache supports several hashing algorithms for .htpasswd files. The table below compares their security properties.
| Algorithm | Prefix | Salted | Security | Browser-Compatible |
|---|---|---|---|---|
| bcrypt | $2y$ | Yes | Strongest (adjustable cost) | No (use CLI) |
| Apache MD5 | $apr1$ | Yes | Moderate (1000 rounds) | No (use CLI) |
| SHA-1 | {SHA} | No | Basic (single round) | Yes (this tool) |
| Plaintext | (none) | No | None (testing only) | Yes (this tool) |
For production environments, bcrypt is the recommended algorithm because its adjustable cost factor makes brute-force attacks computationally expensive. Since bcrypt requires server-side computation, use the command-line htpasswd tool: htpasswd -B -C 10 .htpasswd username. This tool provides SHA-1 hashing for quick setups, development environments, and situations where bcrypt is not available.
Security Best Practices
Basic HTTP authentication has inherent limitations that you should understand before deploying it. Credentials are sent with every request encoded in Base64, which is trivially decodable -- it is not encryption. Always use HTTPS (SSL/TLS) alongside .htpasswd authentication to encrypt the credential transmission between browser and server.
Store the .htpasswd file outside the web-accessible document root. For example, if your website files are in /var/www/html/, place the .htpasswd file in /etc/apache2/ or /var/www/.htpasswd. This prevents an attacker from downloading the file by guessing its path. Add <Files ".htpasswd"> Require all denied </Files> to your Apache configuration as an additional safeguard.
For high-security applications, consider replacing basic authentication with more robust alternatives like OAuth 2.0, SAML, or application-level authentication with session management. Basic authentication does not support features like account lockout, multi-factor authentication, or session expiration, making it unsuitable as the sole access control for sensitive systems.
Frequently Asked Questions
An .htpasswd file stores usernames and hashed passwords for Apache HTTP Server basic authentication. Each line contains a username:password pair where the password is hashed using an algorithm like SHA-1 or MD5.
SHA-1 is a reasonable choice for basic compatibility. For production servers, bcrypt (available via the command-line htpasswd tool) provides the strongest protection. Plaintext should never be used in production.
Save the output line to a file named .htpasswd on your server. Then configure your .htaccess file with AuthType Basic, set AuthUserFile to point to the .htpasswd file path, and add "Require valid-user".
Yes. The hashing is performed entirely in your browser using the Web Crypto API. Your password is never sent to any server or stored anywhere.
SHA-1 ({SHA}) is a basic hash that is fast to compute but vulnerable to brute-force attacks. Apache MD5 ($apr1$) adds a salt and 1000 iterations, offering better security. Bcrypt ($2y$) is the most secure option with an adjustable cost factor that makes brute-force attacks computationally expensive. Bcrypt requires the command-line htpasswd tool.
Yes. Place each username:hash pair on a separate line in the .htpasswd file. Generate an entry for each user with this tool and append all of them to the same file. Each user will authenticate with their own username and password.
If the .htpasswd file is within the web-accessible directory, an attacker could potentially download it by guessing the URL and then attempt to crack the password hashes offline. Storing it outside the web root (e.g., /etc/apache2/.htpasswd) ensures it cannot be accessed via a browser request.
No. Bcrypt requires significant computational resources that are impractical in a browser environment. This tool supports SHA-1 and plaintext. For bcrypt hashing, use the command-line htpasswd utility on your server: htpasswd -B -C 10 .htpasswd username.