.htpasswd Generator
SecurityGenerate Apache .htpasswd entries using bcrypt, MD5-APR1, SHA-1, or plaintext algorithms. Secure your web directories with HTTP Basic Authentication.
All hashing happens entirely in your browser — passwords never leave your device.
Roundsrecommended
UsernamePassword
.htpasswd output
Hashed entries will appear here
Ready to paste into .htpasswd
About .htpasswd Generator
The htpasswd Generator creates password entries compatible with Apache's .htpasswd file format, which controls HTTP Basic Authentication for protected web directories and reverse-proxy endpoints. Choose from four supported hashing schemes — bcrypt (the most secure, recommended for all new deployments), MD5-APR1 (widely compatible with older Apache versions), SHA-1 (legacy, avoid for new sites), or plaintext (for testing only) — and receive a ready-to-paste line in `username:hash` format. All hashing is performed client-side using the Web Crypto API and a pure-JavaScript bcrypt implementation, so passwords are never transmitted over the network.
Features
- ✓Generates .htpasswd entries in bcrypt ($2y$), MD5-APR1 ($apr1$), SHA-1 ({SHA}), and plaintext formats
- ✓Bcrypt work factor selector (4–16) lets you tune the cost for your server's hardware
- ✓Produces the full `username:hash` line ready to append to an .htpasswd file
- ✓One-click copy of the generated entry to clipboard
- ✓Validates that the username contains only permitted characters (no colons)
- ✓Shows the raw hash separately so it can be embedded into other config formats
- ✓Warns when insecure schemes (SHA-1, plaintext) are selected
- ✓100 % browser-side — passwords never leave your device
Common Use Cases
- Protecting a staging site behind HTTP Basic Authentication with Nginx or Apache
- Adding new user credentials to an existing .htpasswd file without installing Apache tools
- Creating authentication entries for a Traefik, Caddy, or reverse-proxy basicAuth middleware
- Generating test credentials for CI/CD pipelines that spin up password-protected services
- Quickly updating a single user's password in a .htpasswd file via a browser
- Demonstrating password hashing schemes in security training or courses
- Provisioning credentials for self-hosted developer tools like Grafana or Prometheus
Frequently Asked Questions
QWhich hashing algorithm should I use for .htpasswd?
Use bcrypt ($2y$) for all new deployments. It is the only scheme that is computationally expensive enough to resist brute-force attacks. MD5-APR1 is still widely supported but is susceptible to fast GPU cracking. SHA-1 and plaintext should be avoided entirely in production.
QWhat bcrypt work factor should I choose?
A work factor (cost) of 10 or 12 is recommended for most web applications. Each increment doubles the computation time. Higher values provide more resistance to cracking but increase login latency. Test on your target server — a factor that causes >0.5 s of latency per login may degrade user experience.
QHow do I add the generated line to my .htpasswd file?
Copy the `username:hash` output and append it to your .htpasswd file — one entry per line. If the file does not exist yet, create it and paste the line. Apache will pick up the changes immediately without requiring a restart.
QCan I use this output with Nginx?
Yes. Nginx's ngx_http_auth_basic_module reads standard .htpasswd files. Bcrypt entries require Nginx compiled with the optional CRYPT support (`--with-http_auth_basic_module` and a CRYPT library). MD5-APR1 is always supported by Nginx's bundled implementation.
QIs it safe to generate production passwords in a browser?
Yes, because this tool performs all operations locally using JavaScript crypto libraries. No data is sent to any server. For maximum safety, use the tool in an offline browser session or behind a VPN when entering real production passwords.