ectoplasma.orghtpasswd Generator
Generate password entries for Apache .htpasswd files.
What is htpasswd?
An htpasswd file stores usernames and hashed passwords for HTTP basic authentication on Apache web servers. Each line contains a username and password hash separated by a colon. When a client requests a protected resource, the server prompts for credentials and checks them against the htpasswd file. This mechanism is commonly used to restrict access to staging environments, admin panels, and private directories without a full authentication backend.
Hash formats
Apache supports several password hashing schemes. bcrypt ($2y$) is the strongest option — it uses a computationally expensive algorithm with a configurable cost factor, making brute-force attacks impractical. SHA-1 ({SHA}) produces a base64-encoded SHA-1 digest; it is fast but offers no salt, so identical passwords produce identical hashes. MD5 ($apr1$) is Apache's own variant of MD5 with a random salt; it is stronger than plain SHA-1 but weaker than bcrypt. For new deployments, bcrypt is recommended.
Setting up basic authentication
To protect a directory, create an .htpasswd file outside your web root and add an .htaccess file (or equivalent server config) with AuthType Basic, AuthName, AuthUserFile pointing to your htpasswd file, and Require valid-user. On Nginx, the equivalent is auth_basic and auth_basic_user_file directives. Both servers read the same htpasswd file format, though Nginx requires bcrypt or apr1 hashes specifically.
Security considerations
Basic authentication transmits credentials in base64 (not encrypted), so it must always be used over HTTPS. The htpasswd file should never be served to the web — place it outside the document root or block access with server rules. For production applications with many users, a proper authentication system (OAuth, SAML, or session-based auth) is generally preferable. htpasswd is best suited for low-traffic internal tools and staging environments.
Privacy
This tool runs entirely in your browser. No credentials are sent to any server. Your input stays on your machine.
ectoplasma.org · free tools