Apache .htpasswd Generator
Enter a username and password to build a single Apache .htpasswd line for HTTP basic authentication. The {SHA} hash is computed in your browser with the Web Crypto API, so your password is never uploaded. Use the output with Apache or Nginx auth_basic, then copy or download it as your .htpasswd file.
How to generate an htpasswd entry
- Type the username and the password you want to protect a directory with.
- Pick a scheme: SHA-1 ({SHA}) is recommended here, or plain text for the rare platforms that need it.
- Copy the username:hash line or download it as a .htpasswd file for your server.
Examples
{SHA} entry for user / password
username user, password password, scheme sha
user:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=Plain-text entry
username admin, password s3cret, scheme plain
admin:s3cret
Frequently asked questions
What is a .htpasswd file?
A .htpasswd file stores usernames and hashed passwords for HTTP basic authentication. Web servers like Apache (with AuthType Basic and AuthUserFile) and Nginx (with auth_basic and auth_basic_user_file) read it to password-protect a directory or site. Each line is one account in the form username:hash.
Is my password sent to a server?
No. The {SHA} hash is computed entirely in your browser using the Web Crypto API, so the username and password you type never leave the page and are not logged anywhere. The plain-text option simply formats what you typed; it is still processed locally.
Which password schemes does Apache support?
Apache's htpasswd supports bcrypt (the recommended option, via htpasswd -B), apr1 (its salted MD5 variant, -m, the default on most systems), unsalted SHA-1 in the {SHA} format (-s), crypt (-d), and plain text (-p) on a few platforms. This tool generates the {SHA} and plain formats because they can be produced safely in the browser.
Why are bcrypt and apr1 (MD5) not offered here?
bcrypt and apr1 are salted and deliberately slow, which needs a dedicated password-hashing library that the browser Web Crypto API does not provide. Generating them in client-side JavaScript would be slow and easy to get wrong, so for those run Apache's own tool, for example htpasswd -B -c .htpasswd user for bcrypt.
How secure is the {SHA} scheme?
The {SHA} format is a single unsalted SHA-1 hash, so identical passwords produce identical hashes and it is vulnerable to precomputed (rainbow table) attacks. It is fine for low-stakes or internal use, but for anything important generate bcrypt entries with htpasswd -B instead. Never use the plain-text option on a public server.
How do I add more than one user?
A .htpasswd file holds one account per line. Generate an entry for each username here and paste each line into the same file, or append with htpasswd .htpasswd newuser on the server. Usernames must be unique and must not contain a colon, since the colon separates the username from the hash.
Related tools
HMAC Generator
Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.
Password Generator
Generate strong, random passwords online. Choose length, letters, digits, symbols and skip look-alike characters. Created in your browser, never stored.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.