Htpasswd Generator

.htpasswd is a flat file used by Apache HTTP Server (and Nginx with auth_basic) to store usernames and hashed passwords for HTTP Basic Authentication. Each line contains username:passwordhash. The file is typically placed in a non-web-accessible directory. Apache reads it when a protected resource is requested and compares the provided password against the stored hash.

bcrypt (recommended): Most secure, uses adaptive cost factor. Supported by Apache 2.4+. APR1-MD5: Apache-specific MD5 variant, widely supported. SHA1: Fast but weaker, base64-encoded SHA-1. Plain text: Never use in production. For new deployments, always use bcrypt. MD5 is acceptable for legacy Apache 2.2 servers that do not support bcrypt.

Create .htpasswd file outside web root (e.g., /etc/apache2/.htpasswd). In .htaccess or httpd.conf: AuthType Basic\nAuthName "Restricted"\nAuthUserFile /etc/apache2/.htpasswd\nRequire valid-user. Enable mod_auth_basic: a2enmod auth_basic && systemctl restart apache2. Set file permissions: chmod 640 .htpasswd; chown www-data:www-data .htpasswd.

In your server or location block: auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;. Nginx supports bcrypt and APR1-MD5 hashes. Test config: nginx -t. Reload: systemctl reload nginx. The .htpasswd file format is identical to Apache. Install apache2-utils to use the htpasswd command-line tool.

Basic Auth transmits credentials in base64 (NOT encrypted) with every request. It is only secure over HTTPS. Without HTTPS, passwords are visible to anyone intercepting traffic. Additional concerns: no session management, no logout mechanism, credentials cached by browser. For public-facing apps, use modern auth (OAuth, JWT). Basic Auth is acceptable for internal tools, staging environments, and API authentication over HTTPS.