htpasswd Generator

Generate Apache .htpasswd entries — Secure your web directories

Share:

htpasswd Generator

Create secure Apache .htpasswd entries for HTTP Basic Authentication

The htpasswd tool generates password entries for Apache HTTP Server's basic authentication (.htpasswd files). These files contain username:password pairs that protect web directories, admin panels, staging sites, and development environments behind HTTP Basic Authentication.

What is .htpasswd?

A .htpasswd file stores usernames and hashed passwords used by Apache's mod_auth_basic module. When a user tries to access a protected directory, Apache prompts for credentials and verifies them against this file. The passwords are never stored in plain text.

✅ Supported Algorithms

  • bcrypt ($2y$): Most secure option with adaptive cost factor. Recommended for all new setups
  • APR1 MD5 ($apr1$): Apache-specific MD5 variant. Good compatibility with older Apache versions
  • SHA-1 ({SHA}): Base64-encoded SHA-1 hash. Simple but offers basic security
  • crypt(): Traditional Unix DES-based encryption. Maximum 8-character password support

📊 Common Use Cases

  • Admin Panels: Protect WordPress wp-admin, phpMyAdmin, or custom admin areas
  • Staging Sites: Keep development and staging environments private
  • API Endpoints: Add basic authentication layer to REST APIs
  • Static Files: Restrict access to sensitive documents and downloads

⚠️ Security Note

Always use bcrypt for new htpasswd entries. APR1 and SHA-1 are supported for backward compatibility but are weaker. Never transmit .htpasswd files over unencrypted connections. Always pair HTTP Basic Auth with HTTPS.

🔄 Algorithm Comparison

🔵

bcrypt ($2y$)

Adaptive cost, slowest to brute-force

Best choice for new setups

🟢

APR1 MD5 ($apr1$)

1000 MD5 iterations with salt

Apache-specific, good compatibility

🟡

SHA-1 / crypt

Single-pass hashing

Legacy only, not recommended

Frequently Asked Questions ❓

How do I use the generated htpasswd entry?

Create a .htpasswd file in a directory outside your web root and paste the generated entry. Then add AuthType Basic, AuthName, AuthUserFile, and Require valid-user directives to your .htaccess or Apache config.

Which algorithm should I choose?

Always choose bcrypt for new setups. It's the most secure option with an adaptive cost factor that makes brute-force attacks extremely slow. Use APR1 only if your Apache version doesn't support bcrypt (pre-2.4).

Can I have multiple users in one .htpasswd file?

Yes. Add one username:password entry per line. Each user can use a different algorithm. Apache will check credentials against all entries in the file.