Free tool · Runs in your browser

htpasswd Generator

Generate htpasswd entries for HTTP Basic auth - bcrypt, apr1, or SHA-1 - for one or many users, with ready-to-paste nginx and apache config. Hashing happens in your browser; nothing is uploaded.

Generated in your browser - nothing is uploaded. Note that HTTP Basic auth sends credentials base64-encoded, not encrypted, so always serve it over HTTPS.

Hash algorithm
User 1

What is an .htpasswd file?

An .htpasswd file stores credentials for HTTP Basic authentication - one username:hash line per user. nginx and Apache read it to password-protect a path, so it is the simplest way to put a quick login in front of a staging site, dashboard, or internal tool.

The passwords are stored hashed, never in plain text - this tool produces those hashes.

Which hash should you use?

Use bcrypt ($2y$) - it is slow by design, salted, and the modern recommendation; nginx supports it since 1.0.3 and Apache since 2.4. apr1 (Apache's iterated MD5) is widely portable but cryptographically weak. SHA-1 ({SHA}) is unsalted and weak - avoid it except for legacy compatibility. The old DES crypt format truncates to 8 characters; never use it.

Protect a path with nginx

Point nginx at the file and add it to a location, then reload:

  • auth_basic "Restricted";
  • auth_basic_user_file /etc/nginx/.htpasswd;

Building the rest of the server block too? Use our nginx config generator and drop these lines into the location.

Protect a path with Apache

In a .htaccess file or a vhost block, reference the file and require a valid user:

  • AuthType Basic
  • AuthName "Restricted"
  • AuthUserFile /etc/apache2/.htpasswd
  • Require valid-user

Basic auth needs HTTPS

HTTP Basic auth sends username:password base64-encoded on every request- which is trivially decoded, not encrypted. That is fine only over HTTPS, where TLS protects it in transit. Never put Basic auth on a plain HTTP site, and prefer a higher bcrypt cost for credentials that matter.

htpasswd hash algorithms

AlgorithmPrefixSecuritySupport
bcrypt$2y$Strong - recommendednginx 1.0.3+, Apache 2.4+
apr1$apr1$Weak (iterated MD5)All Apache, nginx
SHA-1{SHA}Very weak, unsaltedApache, nginx
crypt(none)Insecure, 8-char limitLegacy only - avoid
htpasswd FAQ

Frequently asked questions

Add one or more username/password pairs here, pick a hash (bcrypt recommended), and copy or download the generated file - each line is username:hash. On a server you can also run htpasswd -cB /etc/nginx/.htpasswd username to create it, or htpasswd -B to add more users.
bcrypt ($2y$) is the strongest and recommended choice - it is salted and deliberately slow. apr1 is Apache's iterated-MD5 scheme; it is portable but weak. Plain SHA-1 ({SHA}) is unsalted and weakest. Use bcrypt unless an old server forces otherwise.
Add auth_basic "Restricted"; and auth_basic_user_file /etc/nginx/.htpasswd; inside the location or server block, then run nginx -t and reload. The .htpasswd file holds the hashed credentials this tool generates.
The stored hashes are fine (use bcrypt), but HTTP Basic auth transmits credentials base64-encoded on every request, which is not encryption. You must serve it over HTTPS so TLS protects the credentials in transit; on plain HTTP they are effectively sent in the clear.
Yes. This tool does it in the browser, and you can also use openssl: openssl passwd -apr1 generates an apr1 hash, and openssl passwd -6 generates a SHA-512 crypt hash (supported by some servers). For bcrypt, htpasswd -nbB user password is the simplest CLI route.
Each user is just another username:hash line in the same file. Add as many rows as you need here and the tool outputs the complete file. On a server, use htpasswd (without -c, which would overwrite) to append additional users.
Basic auth is a quick gate, not a strategy

Manage real access across your servers.

CtrlOps gives you SSH key management, per-user roles, and one-click deployment for your whole fleet - local-first, with credentials encrypted on your own machine. The right tool once Basic auth is not enough.

Start instantly· No credit card· No sneaky autorenewals