What format does .htpasswd use?

Each line is username:hash. The hash can be bcrypt ($2y$...), MD5-APR1, SHA-1 ({SHA}...), or crypt. This tool outputs bcrypt or SHA-1, which Apache and nginx both accept.

Which algorithm should I choose?

Use bcrypt — it is slow by design and resistant to brute force. SHA-1 is provided only for legacy systems and offers far weaker protection.

Is my password sent anywhere?

No. Hashing runs entirely in your browser with bcryptjs and the Web Crypto API, so your password and the resulting hash never leave your device.

What format does a .htpasswd file use?

Each line is username:hash. The hash may be bcrypt ($2y$...), MD5-APR1, SHA-1 ({SHA}...), or crypt. This tool produces bcrypt or SHA-1, both of which Apache and nginx accept.

Should I use bcrypt or SHA-1?

Use bcrypt. It is deliberately slow and salted, which resists brute-force and rainbow-table attacks. SHA-1 is unsalted and fast, so it is only suitable for legacy systems that cannot use bcrypt.

Is my password sent to a server?

No. Hashing runs entirely in your browser using bcryptjs and the Web Crypto API, so neither the password nor the generated hash ever leaves your device.

Why does the bcrypt hash start with $2y$?

Apache writes bcrypt hashes with the $2y$ identifier. bcryptjs emits $2a$/$2b$, which are functionally identical, so the tool rewrites the prefix to $2y$ for maximum Apache compatibility.

How do I use the generated line?

Paste the username:hash line into your .htpasswd file, then reference that file from your Apache AuthUserFile directive or nginx auth_basic_user_file setting.

htpasswd Generator

Create username:hash lines for Apache and nginx basic auth using bcrypt (recommended) or SHA-1, with an adjustable cost factor — all hashed locally so passwords never leave your browser.

Updated June 2026

Files never leave your browser

Username

Password

Algorithm

Cost factor:Higher is slower and more secure (10–12 typical).

Hashing runs entirely in your browser — your password is never uploaded. Prefer bcrypt; SHA-1 is legacy and far weaker.

How to use htpasswd Generator

The htpasswd Generator creates Apache and nginx basic-authentication entries — the username:hash lines stored in a .htpasswd file — directly in your browser. Enter a username and password, choose bcrypt (recommended) or SHA-1, and copy a ready-to-paste line. Basic auth is a simple, server-level way to password-protect a directory, staging site, or admin area without writing application code. Because hashing happens entirely client-side with bcryptjs and the Web Crypto API, your password is never uploaded — a crucial property for a tool that handles credentials.

Enter the username you want to protect the resource with.
Enter the password (no colon characters).
Choose bcrypt (recommended) or SHA-1.
For bcrypt, set a cost factor — 10 to 12 is typical.
Click Generate, then copy the username:hash line into your .htpasswd file.

Your data never leaves your device — 100% private processing.

How HTTP basic authentication works

HTTP basic auth is defined by RFC 7617. When a browser requests a protected resource, the server responds with a 401 and a WWW-Authenticate header; the browser prompts for a username and password, then resends the request with an Authorization header containing the base64-encoded credentials. The server looks up the username in its .htpasswd file and compares the supplied password against the stored hash. Because the credentials are only base64-encoded — not encrypted — basic auth must always run over HTTPS so the password is not exposed in transit. The stored hash, however, should still be strong: if the .htpasswd file leaks, a slow bcrypt hash buys far more protection than a fast SHA-1 one.

Hash type	Prefix	Strength	When to use
bcrypt	$2y$	Strong (salted, slow)	Default choice
MD5-APR1	$apr1$	Moderate	Legacy Apache
SHA-1	{SHA}	Weak (unsalted)	Legacy only
crypt	(none)	Very weak	Avoid

Configuring Apache and nginx to use the file

In Apache, point an AuthUserFile directive at your .htpasswd path inside a directory or location block, set AuthType Basic and AuthName, and add "Require valid-user". In nginx, use auth_basic "Restricted" and auth_basic_user_file /path/to/.htpasswd inside the relevant location block. Store the .htpasswd file outside the web root so it can never be served as a static file, and lock down its filesystem permissions. To add or rotate users, append or replace the relevant username:hash line — each user gets exactly one line. Always reload the server after editing, and remember that protection is only as good as the transport: serve the protected resource over HTTPS.

Worked examples

bcrypt entry

Inputs: admin / s3cret · cost 10

Result: admin:$2y$10$... (60-char hash)

SHA-1 entry

Inputs: admin / s3cret · SHA-1

Result: admin:{SHA}W7ph5Mm5Pz8GgiUL...

Glossary

.htpasswd: A flat file storing username:hash pairs that Apache or nginx use for HTTP basic authentication.
Basic auth: An HTTP authentication scheme (RFC 7617) that sends base64-encoded credentials in the Authorization header.
bcrypt: A salted, deliberately slow password-hashing algorithm with a tunable cost factor, resistant to brute force.
Cost factor: The base-2 work parameter for bcrypt; higher values make each hash slower and harder to attack.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use htpasswd Generator?

Generate Apache/nginx basic-auth lines without installing the htpasswd command
Choose bcrypt with a tunable cost factor for strong, brute-force-resistant hashing
Hash entirely in your browser so passwords and hashes never reach a server
Copy a ready-to-paste username:hash line for your .htpasswd file in one click

Common use cases

Password-protecting a staging or preview site so search engines and the public cannot access it
Securing an internal admin panel or metrics endpoint behind Apache or nginx basic auth
Adding a quick access gate to a directory without building application-level login
Rotating credentials for a shared .htpasswd file used by a small team
Generating a hash on a machine that does not have the Apache htpasswd utility installed

Related Developer Tools

Bcrypt Hash Generator & Checker

Generate bcrypt password hashes and verify a password against a hash online. Adjustable cost factor. Free, private bcrypt tool in your browser.

Basic Auth Header Generator

Generate an HTTP Basic Authentication header from a username and password. Get the Base64 Authorization value and a curl snippet, encoded in your browser.

.htaccess Redirect Generator

Generate .htaccess redirect rules online. Create 301/302 redirects, www and HTTPS forcing, and RewriteRule snippets for Apache. Free and private.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

Explore all Developer Tools.