.htpasswd Generator
Generate Apache .htpasswd entries using bcrypt (the secure default) for HTTP Basic Authentication. Paste the line into your .htpasswd file.
For maximum security, prefer the bcrypt variant: htpasswd -B on a server. Bcrypt is computed CPU-side and not browser-friendly.
How to use htpasswd Generator
- Enter the username that should be granted access.
- Enter the password for that user. It is hashed entirely in your browser and never transmitted.
- Click Generate to produce a complete username:hash line in the Apache MD5 ($apr1$) format.
- Copy the line and append it to your .htpasswd file (commonly /etc/apache2/.htpasswd or alongside your .htaccess).
- Point your web server at the file with an AuthUserFile directive, then reload the server to enforce the login.
How .htpasswd and HTTP Basic Authentication work
A .htpasswdfile is the credential store behind Apache's HTTP Basic Authentication — the simplest way to put a username-and-password gate in front of a directory, a staging site, or an admin panel. Each line maps one username to a hashed password in the form username:hash. When someone requests a protected resource, the browser pops up a login dialog, sends the credentials, and Apache hashes the supplied password and compares it to the stored hash.
Passwords are hashed, never stored in plain text
The file never contains the actual password — only a one-way hash. This tool produces the Apache $apr1$format, a salted, iterated variant of MD5. The salt (a short random string baked into the hash) means two users with the same password get different hashes, which defeats precomputed "rainbow table" attacks. Because the salt is random, generating the same password twice here yields two different lines, and that is expected and correct.
Why bcrypt is the better choice for production
MD5 is fast — and for password hashing, fast is bad. An attacker who steals your .htpasswd file can try billions of MD5 guesses per second on a GPU. bcrypt was designed to be deliberately slow and tunable, so each guess costs meaningfully more time. The catch is that bcrypt is too CPU-intensive to run smoothly in a browser, which is why this tool uses $apr1$ for convenience. For anything important, generate the entry on your server instead:
# create a new file with a bcrypt-hashed user
htpasswd -B -c /etc/apache2/.htpasswd alice
# add more users to the existing file (no -c)
htpasswd -B /etc/apache2/.htpasswd bobWiring it into your server
Place the file outside the document root so it cannot be fetched over the web, then reference it from your virtual host or .htaccess:
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-userNginx uses the same file format via its auth_basic and auth_basic_user_file directives, so a .htpasswd generated here works with Nginx too.
Always pair Basic Auth with HTTPS
Basic Auth transmits credentials Base64-encoded on every request — that is reversible encoding, not encryption. Over plain HTTP anyone on the network path can read them. Serving the protected resource over TLS (HTTPS) encrypts the whole exchange and is non-negotiable for any real use. Combine it with a long, randomly generated password and the gate becomes genuinely useful for low-stakes access control.
Related security tools
- Password Generator— because a fast MD5 hash means the user's password must carry the weight; make each one random.
- Random Token Generator — for API-key auth once username-and-password gates stop scaling.
- Hash Generator — inspect raw MD5, SHA-256, and SHA-512 output for arbitrary text.
Frequently asked questions
What hash format does this tool produce?
Is bcrypt more secure than $apr1$?
How do I generate a bcrypt entry instead?
Is my password sent to a server?
Where does the .htpasswd file go?
Can I put multiple users in one file?
Why is HTTP Basic Auth considered weak on its own?
Should I use a strong password even behind Basic Auth?
Related tools
More tools you might find useful in the same flow.
Password Generator
Free password generator using your browser's SubtleCrypto. Pick length, character classes, and exclude lookalikes. Passwords never leave the page.
TOTP Generator
TOTP generator online — create RFC 6238 time-based one-time passwords from a secret key, with a live countdown. The secret never leaves your browser.
API Token Generator
Random token generator — create secure API keys, session IDs, and secrets in hex or Base64URL using crypto-grade randomness. Free, made in your browser.
PIN Generator
PIN generator — create random 4, 6, or 8 digit PIN numbers (or any length) with real cryptographic randomness, one at a time or in bulk. Free and instant.
Built by Muhammad Tahir · About