htpasswd Generator

admin:$2y$10$vI8a....
user2:{SHA}5en6....

What is basic authentication?

HTTP Basic Authentication is a simple challenge and response mechanism that allows a server to request credentials (a username and password) from a client. The server uses the `.htpasswd` file to verify these credentials.

Supported Algorithms

• Bcrypt: Uses the Blowfish cipher. It is currently the most secure option for Apache. It's automatically salted and slow to compute, protecting against many types of attacks.
• SHA-1: Uses a 160-bit hash. It is considered legacy and doesn't use a salt by default in the standard htpasswd format, making it vulnerable to rainbow table attacks.
• Plaintext: Stores the password as is. Never use this in production.

Security Best Practices

Always keep your `.htpasswd` file outside of your web root (the folder that is served to the public). For example, if your web root is /var/www/html, place your htpasswd file in /var/www/.htpasswd. This prevents the file itself from being downloaded by visitors.

Frequently asked questions

What is an htpasswd file?

An htpasswd file is used by the Apache HTTP Server to store usernames and hashed passwords for basic authentication. Each line in the file represents a user, formatted as 'username:hash'.

Which algorithm should I choose?

Bcrypt is the most secure and modern option supported by Apache 2.4+. SHA-1 is older and less secure but may be required for legacy systems. Plaintext is highly insecure and should only be used for local testing where security is not a concern.

How do I use the generated line?

Copy the output line and paste it into your `.htpasswd` file. If the file doesn't exist, create a new one with that name in your server's configuration directory (but outside the web-accessible root).

Is this tool safe to use?

Yes. All hashing is performed locally in your web browser. Your password and the resulting hash are never sent to any server.