.htpasswd Generator
Generate .htpasswd entries for Apache and Nginx Basic Authentication. Choose bcrypt, APR1-MD5 or SHA-1 and get a ready-to-paste line.
Free · No credit card · 50 credits/day
Algorithm comparison
Three algorithms supported — only one is recommended for new deployments.
bcrypt
Slow by design — each hash takes ~100ms which makes brute force impractical. Cost factor is adjustable. The only algorithm that stays secure as hardware gets faster.
APR1-MD5
Apache's own MD5 variant — 1000 rounds make it slower than plain MD5, but modern GPUs can still crack it quickly. Use only for compatibility with old Apache versions.
SHA-1
Single-round SHA-1 with no salt. A GPU can try billions of hashes per second. Only use for read-only compatibility with very old systems that support nothing else.
Setting up Basic Auth
AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/.htpasswd Require valid-user
Store .htpasswd outside the web root. Enable mod_authn_file and mod_auth_basic.
location /admin {
auth_basic "Restricted";
auth_basic_user_file
/etc/nginx/.htpasswd;
}
Nginx supports bcrypt and APR1-MD5. Run nginx -t after changes.
Always use HTTPS with Basic Auth. Credentials are base64-encoded in the Authorization header — trivially decoded without TLS. Never serve a Basic Auth protected resource over plain HTTP.
Frequently asked questions
Related tools
More tools for server configuration and security.
Generate a .htpasswd entry now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →