htpasswd Generator

Generate password entries for Apache .htpasswd files. Supports bcrypt, MD5 (apr1), SHA1, and crypt algorithms.

Create Entry

Username

Password

Algorithm

Cost Factor (4-31)

Algorithm Comparison

bcryptRecommended

Strongest option. Adaptive cost factor, resistant to GPU attacks. Requires Apache 2.4+.

MD5 (apr1)

Apache-specific MD5. Widely supported, but MD5 is considered weak. Prefix: $apr1$

SHA1

Base64-encoded SHA1 hash. Fast but not recommended for new deployments. Prefix: {SHA}

crypt (DES)Insecure

Legacy Unix crypt. Only uses first 8 characters. Not recommended.

How to Use

1. Create .htpasswd file

/etc/apache2/.htpasswd

2. Add to .htaccess

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

3. For NGINX

location /protected {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

.htpasswd File

No entries yet. Add a username and password above.

Verify Password

Hash to Verify

Password to Check

What is This Tool?

An htpasswd generator creates password entries for Apache .htpasswd files and Nginx basic authentication. Generate bcrypt, SHA-1, or MD5-hashed credentials for protecting directories, staging sites, and admin panels with HTTP Basic Authentication.

HTTP Basic Auth transmits base64-encoded credentials in the Authorization header. While not suitable for public-facing logins (use OAuth/sessions instead), it is simple and effective for protecting development environments, staging sites, and internal tools behind a quick password gate.

Common Use Cases

Staging Site Protection

Password-protect staging and preview environments to prevent public access and search engine indexing.

Admin Panel Security

Add an extra authentication layer to admin panels, phpMyAdmin, and server management tools.

Nginx Auth Setup

Generate auth_basic credentials for Nginx server blocks and location-specific authentication.

API Gateway Auth

Create basic auth credentials for simple API gateway protection during development.

Frequently Asked Questions

Which hash algorithm should I use?

bcrypt (cost 10+) is the most secure option. Apache 2.4+ supports bcrypt. Use SHA-1 or MD5 only for older Apache versions.

Is Basic Auth secure?

Only over HTTPS. Credentials are base64-encoded (not encrypted) in transit. Always use TLS. For production user auth, use session-based or token-based authentication.

How do I configure Nginx?

Add auth_basic "Restricted"; auth_basic_user_file /path/to/.htpasswd; to your server or location block.