Generate secure .htpasswd entries for Apache HTTP Basic Authentication
All hashing is done in your browser. Passwords are never sent to the server.
The .htpasswd file is the credential store used by Apache and Nginx for HTTP Basic Authentication. Each line contains a username and a hashed password separated by a colon (username:hash). When a browser requests a protected resource, the server checks the supplied credentials against this file. The Apache htpasswd utility is the official way to create and manage these files, but this browser-based generator lets you produce valid entries without installing anything.
bcrypt is the recommended format for modern Apache (2.4+) and Nginx deployments. It uses a deliberately slow key derivation function with a tunable cost factor, making brute-force and GPU-accelerated attacks impractical. A cost factor of 10 means 2¹⁰ = 1,024 iterations; increasing it to 12 provides 4× more work per guess. Apache uses the $2y$ prefix (identical to $2b$ semantically — bcryptjs produces $2a$, which this tool automatically converts to $2y$ for Apache compatibility).
SHA-1 produces a {SHA}-prefixed Base64-encoded digest. It is widely supported but has two weaknesses: it is not salted (so identical passwords produce identical hashes, enabling rainbow-table lookups) and SHA-1 is fast enough that modern GPUs can test billions of candidates per second. Use SHA-1 only when compatibility with legacy systems requires it.
Plaintext is listed here only for completeness. Never store plaintext passwords in production — it exposes every user's password if the file is ever read by an attacker.
To protect a directory with your generated .htpasswd file, add the following to your .htaccess or virtual host configuration. Replace /path/to/.htpasswd with the absolute server path to your file — placing it outside the web root prevents direct download.
AuthType Basic
AuthName "Protected Area"
AuthUserFile /var/www/.htpasswd
Require valid-userAll hashing in this tool is performed entirely in your browser using the Web Crypto API (for SHA-1) and the bcryptjs library (for bcrypt). No passwords are transmitted to any server. The bcryptjs library generates a cryptographically random 22-character salt before hashing, ensuring that two identical passwords produce different hashes.
HTTP Basic Authentication transmits credentials Base64-encoded (not encrypted) in every request, so always pair it with HTTPS. Basic Auth is suitable for protecting internal tools, staging environments, and low-sensitivity resources, but should not be the sole security layer for high-value applications.