UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

htpasswd Generator

Generate bcrypt, MD5-APR, or SHA1 htpasswd entries for HTTP Basic Authentication, compatible with Apache and Nginx.

About htpasswd Generator

The htpasswd Generator creates password hash entries in the format used by Apache's htpasswd utility and Nginx for HTTP Basic Authentication. You can generate entries using bcrypt (most secure, recommended for Nginx auth_basic and modern Apache), MD5-APR ($apr1$ format, traditional Apache), or SHA1 (legacy). Enter a username and password and the tool produces a correctly formatted username:hash line ready to paste into your .htpasswd file. bcrypt hashing runs in the browser using a JavaScript implementation — your credentials are never transmitted to any server. The tool also lets you choose the bcrypt cost factor between 4 and 14, so you can balance generation speed against brute-force resistance for your environment.

Why use htpasswd Generator

  • Supports bcrypt, MD5-APR ($apr1$), and SHA1 formats for full compatibility.
  • All hashing runs in the browser — credentials never reach a server.
  • Produces a correctly formatted username:hash line ready for direct use.
  • bcrypt salt is randomized on each generation for security.
  • Avoids requiring the Apache htpasswd binary on systems where only Nginx is installed, while still producing fully compatible output.
  • Generates fresh, securely salted hashes — never reuses salts between calls, which would weaken any deployment that does.

How to use htpasswd Generator

  1. Enter the username and password in the respective fields.
  2. Select the hash format: bcrypt (recommended), MD5-APR, or SHA1.
  3. Click Generate to compute the htpasswd entry.
  4. Copy the resulting username:hash line and append it to your .htpasswd file.
  5. Pick a bcrypt cost factor of 12 for production; raise it on stronger hardware to keep hashing time around 100-200 ms per attempt.
  6. Concatenate multiple generated lines into a single .htpasswd file using a text editor — there is no need to re-run the tool for the file as a whole.

When to use htpasswd Generator

  • Setting up HTTP Basic Authentication on Apache or Nginx.
  • Adding users to an existing .htpasswd file without installing Apache tools.
  • Generating bcrypt hashes for Basic Auth on a server without htpasswd command.
  • Creating test credentials for development environments.
  • Quickly protecting a staging or admin URL behind Basic Auth without provisioning a full identity provider.
  • Adding a single new user to an existing .htpasswd file managed by another team without giving them shell access to your server.

Examples

bcrypt entry (recommended)

Input: Username: admin, Password: s3cret!, Format: bcrypt (cost 12)

Output: admin:$2y$12$Ej3oV8rB2qXkWzP1fN7sBuqLk9.FtQv6Hh3dM8nC2ePr0uV5zKjS6

APR1 entry

Input: Username: admin, Password: s3cret!, Format: MD5-APR1

Output: admin:$apr1$Mb4xqRfL$cQ7dN8/jK1pV2zX9oY3hL0

SHA1 entry (legacy)

Input: Username: admin, Password: s3cret!, Format: SHA-1

Output: admin:{SHA}n8vLmTOI2Gz5ZOrB6Z8OV9MoRiU=

Multiple users (concatenated)

Input: Run twice for admin and editor accounts

Output: admin:$2y$12$... editor:$2y$12$...

Tips

  • Always pick bcrypt for new deployments. APR1-MD5 is widely supported but trivially crackable on modern GPUs; SHA-1 is broken and should be avoided entirely.
  • Use a bcrypt cost factor of at least 12 in production; the default 10 is fast on a laptop but offers an attacker the same speed advantage.
  • If you only need a quick demo or local test, lower the bcrypt cost to 4 to speed up generation, but never deploy that hash to a public server.
  • Append new lines to .htpasswd rather than rewriting the file — overwriting can race with web server reloads and lock out users mid-request.
  • Keep .htpasswd outside the document root (e.g. /etc/apache2/.htpasswd) and chmod it 640 so the web server can read it but other users cannot.
  • After updating .htpasswd, run `apachectl configtest` (Apache) or `nginx -t` (Nginx) before reloading, then `systemctl reload apache2/nginx` rather than restart to keep connections alive.
  • Rotate Basic Auth credentials on a schedule; HTTP Basic transmits credentials on every request, so once leaked they are leaked forever until rotated.

Frequently Asked Questions

Which hash format should I use?
bcrypt is strongly recommended for new setups due to its resistance to brute-force attacks. MD5-APR is widely supported but weaker. SHA1 is legacy and should be avoided where possible.
Is this compatible with Nginx auth_basic?
Yes. Nginx's ngx_http_auth_basic_module supports all three formats, though bcrypt may require an additional module on some distributions.
Can I generate multiple users at once?
Currently the tool generates one entry per operation. Generate each user separately and concatenate the lines in your .htpasswd file.
Why does bcrypt produce a different hash each time for the same password?
bcrypt generates a unique random salt for every hash. This is by design — two hashes of the same password will not be identical but both will verify correctly.
Does generating the hash in the browser compromise security?
No. The browser implementation uses the same algorithm as the server-side tool. Your password is only processed locally and never transmitted.
Is HTTP Basic Auth secure enough for production?
Only over HTTPS. Basic Auth transmits credentials on every request, base64-encoded but not encrypted. Without TLS the password is effectively in the clear. Inside HTTPS it is acceptable for low-stakes admin pages but never for end-user accounts.
Why does bcrypt produce a different hash each time?
Each call generates a new random salt, which is mixed into the hash. The salt is included in the output, so verifying the password reproduces the same final hash. Different salts producing different hashes is a security feature, not a bug.
How do I verify a generated hash works?
Save the line to a .htpasswd file, configure Apache or Nginx to use it for a directory, then access that directory and provide the username and password. Tools like `htpasswd -v` (Apache) can also verify offline.

Explore the category

Hash Generator Generate SHA-256, SHA-1, MD5 hashes Htaccess Snippet Generator Generate common Apache .htaccess snippet blocks and merge selections. Nginx Snippet Generator Generate and merge common Nginx config snippets for deployment baselines. Dockerfile Generator Generate Dockerfile templates for Node, Python, and static Nginx apps. MongoDB ObjectId Generator Generate MongoDB-compatible ObjectIds and decode existing ones to extract their embedded timestamp, machine, and counter fields. UUID Generator Generate random UUIDs v4
How Bcrypt Hashes Passwords (And Why Cost Factor Matters) Bcrypt is the password-hashing standard most modern apps still rely on. Here's how the Blowfish-based KDF works, why the cost factor matters May 2026 · 9 min

Glossary

htpasswd
An Apache utility (and file format) that stores hashed credentials for HTTP Basic Authentication. Each line is `username:hash`.
HTTP Basic Authentication
A simple challenge-response auth scheme defined in RFC 7617; the client sends `Authorization: Basic base64(user:pass)` on every request.
bcrypt
An adaptive password hashing function designed by Provos and Mazieres in 1999. Includes a tunable cost factor and salt; the htpasswd `$2y$` variant is widely supported.
APR1 / MD5-APR
The Apache-specific MD5 password format with a salt and 1000-round iteration. Identified by the `$apr1$` prefix. Considered weak on modern hardware.
SHA-1 password hash
Apache's legacy `{SHA}` format — a single SHA-1 of the password with no salt. Effectively broken; only present for backwards compatibility.
Salt
Random bytes mixed into the hash input so identical passwords produce different hashes, preventing rainbow-table attacks.
Cost factor
A bcrypt parameter (typically 4 to 31) that controls how many rounds of internal mixing run per hash; each unit doubles the time required.
auth_basic / mod_auth_basic
The Nginx and Apache modules respectively that implement HTTP Basic Auth using a credentials file like .htpasswd.