How do I create an .htpasswd file?

Enter a username and password above, pick bcrypt, copy the generated username:hash line, and paste it into a plain text file named .htpasswd on your server. Add one line per user. Then point your web server at it with an AuthUserFile directive (Apache) or auth_basic_user_file (Nginx). The Download button gives you a ready-made file.

What hashing algorithm does htpasswd use by default?

Apache's htpasswd program defaults to APR1-MD5 ($apr1$) — an iterated, salted MD5 designed for portability across platforms. Modern Apache also supports bcrypt with the -B flag, which is stronger. This tool offers bcrypt (recommended), APR1-MD5, and SHA-1 so you can match whatever your server expects.

Is bcrypt or MD5 (APR1) better for .htpasswd?

bcrypt. APR1-MD5 is salted but fast, so it resists modern GPU cracking far less than bcrypt, whose cost factor deliberately slows each guess. Use bcrypt (-B) unless your server is too old to support it, in which case APR1-MD5 is the next-best portable option. Avoid unsalted SHA-1 for anything that matters.

How do I add multiple users to one .htpasswd file?

Each user is one username:hash line. Use the "Add another user" button to build the whole file at once, then copy or download it. To append a user to an existing file later, generate a single line here and add it on its own row. Usernames must be unique — a duplicate line silently overrides the earlier one.

How do I protect a directory with .htaccess and .htpasswd?

Put your .htpasswd file outside the web root, then drop a .htaccess file in the directory you want to lock with four lines: AuthType Basic, AuthName "Restricted Area", AuthUserFile /absolute/path/to/.htpasswd, and Require valid-user. The snippet is generated for you above. Apache must allow AuthConfig overrides (AllowOverride AuthConfig) for .htaccess to take effect.

Is my password sent to your server?

No. All hashing runs in your browser using the Web Crypto random generator and a pure-JavaScript bcrypt, MD5, and SHA-1 implementation. Open your browser's Network tab while you generate — you'll see no request leaves the page. That's the main reason to use this over generators that POST your plaintext password to a backend.

Does the output work with Nginx as well as Apache?

Yes. Nginx's ngx_http_auth_basic_module reads the same file format and accepts APR1 ($apr1$), SHA-1 ({SHA}), and crypt hashes; bcrypt support depends on your Nginx build's crypt library. Reference it with auth_basic "Restricted Area"; and auth_basic_user_file /path/.htpasswd; inside a server or location block.

Why does the bcrypt hash change every time I click Generate?

bcrypt and APR1-MD5 add a fresh random salt each run, so the hash string differs every time even for the same password — that's by design and is what makes them secure. Both still verify correctly. Use the Verify tab to confirm a password matches a hash rather than comparing the strings directly.

Developer · Utility

.htpasswd Generator — Apache & Nginx Basic Auth

Create a username:hash line for HTTP Basic Auth in your browser. Choose bcrypt, APR1-MD5, or SHA-1, get a copy-ready .htaccess snippet, and verify a password against an existing hash. Your password is hashed locally and never uploaded.

By Induwara Ashinsana— Executive Director, Ryzera TechnologiesUpdated Jun 24, 2026

.htpasswd Generator

Hash algorithm

Recommended — strong, salted, tunable cost.

bcrypt cost factor10 · 1,024 rounds

Higher cost = slower to compute and slower to brute-force. 10–12 is a sensible range for 2026 hardware.

Username

Password

Formats follow the Apache htpasswd program (bcrypt -B, APR1 -m, SHA-1 -s) and are read by Apache mod_authn_file and Nginx auth_basic. Sources cited below.

How it works

HTTP Basic Authentication (defined in RFC 7617) protects a directory by asking the browser for a username and password. Apache and Nginx check those credentials against a flat file — conventionally named .htpasswd — where every line is username:hash. The server never stores the plaintext password: it hashes whatever the user types and compares the result to the stored hash. This tool builds those lines, using the exact formats Apache's htpasswd program writes.

Three hashing schemes are supported, matching the htpasswd CLI flags:

bcrypt (htpasswd -B) — generates a 16-byte random salt and runs the Blowfish-based bcrypt key-derivation function for 2^cost rounds, emitting $2y$<cost>$<22-char salt><31-char hash>. The cost factor (4–15) is a deliberate slowdown: each step up doubles the work for an attacker. This is the recommended choice. The bcrypt algorithm caps the password at 72 bytes — anything longer is silently ignored, exactly as Apache does.
APR1-MD5 (htpasswd -m) — Apache's portable default. It takes a salt of up to 8 characters and runs the Apache Portable Runtime's 1,000-round MD5 mixing (apr_md5_encode), then encodes the digest with Apache's custom base64 ordering to produce $apr1$<salt>$<22-char digest>. Salted, but fast to compute, so weaker than bcrypt against modern cracking hardware.
SHA-1 (htpasswd -s) — computes SHA1(password), base64-encodes the 20-byte digest, and prefixes {SHA}. It is unsalted by design, which means identical passwords always produce identical hashes — flagged here as insecure and offered only for compatibility with legacy files.

Every salt is drawn from the browser's cryptographic random source (crypto.getRandomValues), not Math.random. Because bcrypt and APR1-MD5 re-salt on each run, the hash text changes every time — that is expected and is why salted schemes can only be checked by re-running the algorithm, which is exactly what the Verify tab and your web server do. The APR1-MD5 implementation here is reconciled byte-for-byte against openssl passwd -apr1 and the published Apache source, and the SHA-1 output matches the canonical digest of the input.

Worked examples

SHA-1 — reconciles by hand

Username "admin", password "password", algorithm SHA-1.
SHA1("password") = 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 (20 bytes).
base64 of those 20 bytes = W6ph5Mm5Pz8GgiULbPgzG37mj9g=
Output line: admin:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
This equals the published SHA-1 digest of "password" exactly.

APR1-MD5 — matches openssl

Password "myPassword", fixed salt "rqXexS6Z" (the tool uses a random salt).
Run apr_md5_encode: MD5(pw+salt+pw), fold in the password length bit-pattern, then 1,000 mixing rounds.
Apache base64 of the final digest = QK/GOWpcYWrvXocW5.iZu1
Output: $apr1$rqXexS6Z$QK/GOWpcYWrvXocW5.iZu1
Identical to `openssl passwd -apr1 -salt rqXexS6Z myPassword`.

bcrypt — verify, don't compare

Password "password", cost 10, salt N9qo8uLOickgx2ZMRZoMye.
Output: $2y$10$N9qo8uLOickgx2ZMRZoMye8fOsiTWZqYtkxvXkKm8BMzjT7t/vIdq
Paste that hash + "password" into the Verify tab → matches.
Paste the same hash + "password1" → no match.
A live run produces a different salt each time, so check by verifying, not by string equality.

Frequently asked questions

Sources & references

The hash formats and the APR1-MD5 algorithm were last cross-checked against the Apache source and openssl passwd -apr1 on 2026-06-24.

Related tools

LiveUtility

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes of text or files entirely in your browser. Optional HMAC mode with a secret key. RFC 1321 / FIPS 180-4 / RFC 2104 conformant, no uploads.

Open tool

LiveUtility

QR Code Generator

Generate QR codes for URLs, text, Wi-Fi, vCards, email, phone, or SMS. Customise colours, set error-correction level, add a centre logo. Encoded entirely in your browser, no signup, downloads as PNG or SVG.

Open tool

LiveUtility

UUID Generator

Generate UUID v4 (random) or v7 (time-ordered) in your browser. Bulk up to 1,000 at a time, copy or download as .txt/.csv, inspect any UUID for version, variant, and embedded timestamp. RFC 9562 conformant.

Open tool

Rate this tool

Be the first to rate

Comments & feedback

Spotted a bug or want an improvement? Tell us — our team reviews every comment, and good ideas get built. Comments are public and anonymous.

Found a bug, edge case, or want to suggest an improvement?

Email me at [email protected] — most fixes ship within 24 hours.