htpasswd Generator
Generate htpasswd entries for HTTP Basic auth - bcrypt, apr1, or SHA-1 - for one or many users, with ready-to-paste nginx and apache config. Hashing happens in your browser; nothing is uploaded.
Generated in your browser - nothing is uploaded. Note that HTTP Basic auth sends credentials base64-encoded, not encrypted, so always serve it over HTTPS.
What is an .htpasswd file?
An .htpasswd file stores credentials for HTTP Basic authentication - one username:hash line per user. nginx and Apache read it to password-protect a path, so it is the simplest way to put a quick login in front of a staging site, dashboard, or internal tool.
The passwords are stored hashed, never in plain text - this tool produces those hashes.
Which hash should you use?
Use bcrypt ($2y$) - it is slow by design, salted, and the modern recommendation; nginx supports it since 1.0.3 and Apache since 2.4. apr1 (Apache's iterated MD5) is widely portable but cryptographically weak. SHA-1 ({SHA}) is unsalted and weak - avoid it except for legacy compatibility. The old DES crypt format truncates to 8 characters; never use it.
Protect a path with nginx
Point nginx at the file and add it to a location, then reload:
auth_basic "Restricted";auth_basic_user_file /etc/nginx/.htpasswd;
Building the rest of the server block too? Use our nginx config generator and drop these lines into the location.
Protect a path with Apache
In a .htaccess file or a vhost block, reference the file and require a valid user:
AuthType BasicAuthName "Restricted"AuthUserFile /etc/apache2/.htpasswdRequire valid-user
Basic auth needs HTTPS
HTTP Basic auth sends username:password base64-encoded on every request- which is trivially decoded, not encrypted. That is fine only over HTTPS, where TLS protects it in transit. Never put Basic auth on a plain HTTP site, and prefer a higher bcrypt cost for credentials that matter.
htpasswd hash algorithms
| Algorithm | Prefix | Security | Support |
|---|---|---|---|
| bcrypt | $2y$ | Strong - recommended | nginx 1.0.3+, Apache 2.4+ |
| apr1 | $apr1$ | Weak (iterated MD5) | All Apache, nginx |
| SHA-1 | {SHA} | Very weak, unsalted | Apache, nginx |
| crypt | (none) | Insecure, 8-char limit | Legacy only - avoid |
Frequently asked questions
Related developer tools
Manage real access across your servers.
CtrlOps gives you SSH key management, per-user roles, and one-click deployment for your whole fleet - local-first, with credentials encrypted on your own machine. The right tool once Basic auth is not enough.
✓ Start instantly·✓ No credit card·✓ No sneaky autorenewals

