All tools
Developer tools

.htpasswd Generator

Generate .htpasswd entries for Apache and Nginx Basic Authentication. Choose bcrypt, APR1-MD5 or SHA-1 and get a ready-to-paste line.

bcrypt (recommended) APR1-MD5 SHA-1 (legacy) Apache + Nginx .htaccess snippet
Get started free Sign in

Free · No credit card · 50 credits/day

Algorithm comparison

Three algorithms supported — only one is recommended for new deployments.

bcrypt
Apache 2.4+
Recommended

Slow by design — each hash takes ~100ms which makes brute force impractical. Cost factor is adjustable. The only algorithm that stays secure as hardware gets faster.

admin:$2y$10$...
APR1-MD5
Apache 1.3+
Legacy

Apache's own MD5 variant — 1000 rounds make it slower than plain MD5, but modern GPUs can still crack it quickly. Use only for compatibility with old Apache versions.

admin:$apr1$salt$...
SHA-1
Apache 1.3+
Legacy

Single-round SHA-1 with no salt. A GPU can try billions of hashes per second. Only use for read-only compatibility with very old systems that support nothing else.

admin:{SHA}W6ph5Mm5Pz...

Setting up Basic Auth

Apache .htaccess
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Store .htpasswd outside the web root. Enable mod_authn_file and mod_auth_basic.

Nginx location block
location /admin {
  auth_basic "Restricted";
  auth_basic_user_file
    /etc/nginx/.htpasswd;
}

Nginx supports bcrypt and APR1-MD5. Run nginx -t after changes.

Always use HTTPS with Basic Auth. Credentials are base64-encoded in the Authorization header — trivially decoded without TLS. Never serve a Basic Auth protected resource over plain HTTP.

Frequently asked questions

What is a .htpasswd file?

A .htpasswd file stores usernames and hashed passwords for Apache HTTP Basic Authentication. Each line is username:hashed_password. When a browser requests a protected resource, it prompts for credentials and the server verifies them against this file.

Which algorithm should I use?

Use bcrypt. It is slow by design — each hash takes ~100ms making brute force impractical. It requires Apache 2.4+ with mod_authn_core. APR1-MD5 is compatible with older Apache but weaker. SHA-1 is legacy — avoid it for new deployments.

How do I protect a directory with .htpasswd?

Generate a .htpasswd file with this tool and save it outside your web root (e.g. /etc/apache2/.htpasswd). Then create a .htaccess file in the directory: AuthType Basic, AuthName "Restricted", AuthUserFile /etc/apache2/.htpasswd, Require valid-user. Reload Apache.

Can Nginx use .htpasswd files?

Yes. Nginx supports Basic Auth via ngx_http_auth_basic_module using auth_basic and auth_basic_user_file directives. Nginx supports bcrypt and APR1-MD5 hashes natively.

Related tools

More tools for server configuration and security.

Password Generator

Generate strong random passwords for .htpasswd and other uses.

CSP Header Generator

Build a Content-Security-Policy header with a visual builder.

Security Headers Checker

Audit HTTP security headers — HSTS, CSP, X-Frame-Options and more.

Generate a .htpasswd entry now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →