Skip to content
Processing locally — files never leave your device

.htpasswd Generator

Generate Apache .htpasswd entries using bcrypt (the secure default) for HTTP Basic Authentication. Paste the line into your .htpasswd file.

For maximum security, prefer the bcrypt variant: htpasswd -B on a server. Bcrypt is computed CPU-side and not browser-friendly.

How to use htpasswd Generator

  1. Enter the username that should be granted access.
  2. Enter the password for that user. It is hashed entirely in your browser and never transmitted.
  3. Click Generate to produce a complete username:hash line in the Apache MD5 ($apr1$) format.
  4. Copy the line and append it to your .htpasswd file (commonly /etc/apache2/.htpasswd or alongside your .htaccess).
  5. Point your web server at the file with an AuthUserFile directive, then reload the server to enforce the login.

How .htpasswd and HTTP Basic Authentication work

A .htpasswdfile is the credential store behind Apache's HTTP Basic Authentication — the simplest way to put a username-and-password gate in front of a directory, a staging site, or an admin panel. Each line maps one username to a hashed password in the form username:hash. When someone requests a protected resource, the browser pops up a login dialog, sends the credentials, and Apache hashes the supplied password and compares it to the stored hash.

Passwords are hashed, never stored in plain text

The file never contains the actual password — only a one-way hash. This tool produces the Apache $apr1$format, a salted, iterated variant of MD5. The salt (a short random string baked into the hash) means two users with the same password get different hashes, which defeats precomputed "rainbow table" attacks. Because the salt is random, generating the same password twice here yields two different lines, and that is expected and correct.

Why bcrypt is the better choice for production

MD5 is fast — and for password hashing, fast is bad. An attacker who steals your .htpasswd file can try billions of MD5 guesses per second on a GPU. bcrypt was designed to be deliberately slow and tunable, so each guess costs meaningfully more time. The catch is that bcrypt is too CPU-intensive to run smoothly in a browser, which is why this tool uses $apr1$ for convenience. For anything important, generate the entry on your server instead:

# create a new file with a bcrypt-hashed user
htpasswd -B -c /etc/apache2/.htpasswd alice

# add more users to the existing file (no -c)
htpasswd -B /etc/apache2/.htpasswd bob

Wiring it into your server

Place the file outside the document root so it cannot be fetched over the web, then reference it from your virtual host or .htaccess:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Nginx uses the same file format via its auth_basic and auth_basic_user_file directives, so a .htpasswd generated here works with Nginx too.

Always pair Basic Auth with HTTPS

Basic Auth transmits credentials Base64-encoded on every request — that is reversible encoding, not encryption. Over plain HTTP anyone on the network path can read them. Serving the protected resource over TLS (HTTPS) encrypts the whole exchange and is non-negotiable for any real use. Combine it with a long, randomly generated password and the gate becomes genuinely useful for low-stakes access control.

Related security tools

  • Password Generator— because a fast MD5 hash means the user's password must carry the weight; make each one random.
  • Random Token Generator — for API-key auth once username-and-password gates stop scaling.
  • Hash Generator — inspect raw MD5, SHA-256, and SHA-512 output for arbitrary text.

Frequently asked questions

What hash format does this tool produce?
It produces the Apache-specific $apr1$ MD5 format, which is an iterated, salted variant of MD5 designed for .htpasswd files. It is generated locally in your browser using a random salt, so the same password gives a different hash each time. Every modern Apache version accepts this format.
Is bcrypt more secure than $apr1$?
Yes. bcrypt is the recommended choice today because it is deliberately slow and resistant to GPU cracking, whereas the $apr1$ MD5 scheme is fast and therefore much weaker against brute force. This tool uses $apr1$ because bcrypt is intentionally too CPU-heavy to compute comfortably in a browser. For production, generate bcrypt on the server with htpasswd -B.
How do I generate a bcrypt entry instead?
On the server, run "htpasswd -B -c /path/to/.htpasswd username" (drop the -c flag when adding to an existing file). The -B flag selects bcrypt. You can raise the cost factor with -C, for example "-C 12", to make cracking slower at the price of a slightly slower login.
Is my password sent to a server?
No. Generating the salt and running the iterated MD5 both happen in JavaScript on this page, so the cleartext password is never put on the wire — only the finished hash line ever appears, and only to you.
Where does the .htpasswd file go?
Anywhere outside the public web root so it cannot be downloaded. A common location is /etc/apache2/.htpasswd. Reference it from your config or .htaccess with AuthType Basic, AuthName "Restricted", AuthUserFile /path/to/.htpasswd, and Require valid-user.
Can I put multiple users in one file?
Yes. Each user is one line of the form username:hash. Add as many lines as you need, one per user. Generate each line here (or with the htpasswd command) and append them to the same file.
Why is HTTP Basic Auth considered weak on its own?
Basic Auth sends the username and password Base64-encoded on every request — which is encoding, not encryption. Without HTTPS those credentials travel in effectively plain text. Always serve Basic-Auth-protected resources over TLS so the connection itself is encrypted.
Should I use a strong password even behind Basic Auth?
Absolutely. Remember that $apr1$ MD5 is fast to compute, so once an attacker has the .htpasswd file a weak password is cracked almost instantly — the strength of the password, not the hash, is your real margin. Generate a long random one for each user.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About