htpasswd Generator Free Online Tool 2026

Free online utility. 100% client-side processing with no signup required.

Free & instant 100% client-side No signup needed

Use htpasswd Generator

Enter your data below to use the htpasswd Generator

📌 Try these examples:
RESULT

Last updated

Generating .htpasswd Entries

The Htpasswd Generator creates properly formatted .htpasswd file entries for Apache basic authentication. Here are examples using different hashing algorithms:

# Bcrypt (recommended — strongest security)
username:$2y$10$abcdefghijklmnopqrstuuVwXyZ0123456789ABCDEFGHIJKLMNOP

# MD5/APR1 (most compatible — works on all platforms)
username:$apr1$xyz12345$AbCdEfGhIjKlMnOpQrStUv/

# SHA-1 (less secure — avoid for new deployments)
username:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

# Crypt (oldest — avoid for new deployments)
username:ab12cDeFgHiJkL

Always use bcrypt for new deployments. It is computationally expensive to crack, making brute-force attacks impractical even if the .htpasswd file is compromised.

Complete .htpasswd File with Multiple Users

A .htpasswd file contains one entry per line. Here is an example with multiple users:

# .htpasswd file
# Generated with bcrypt hashing
admin:$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
editor:$2y$10$Gu3Gy5Gy5Gy5Gy5Gy5GyuVwXyZ0123456789ABCDEFGHIJKLMNOP
viewer:$2y$10$Kx7Kx7Kx7Kx7Kx7Kx7KxuVwXyZ0123456789ABCDEFGHIJKLMNOP

Apache .htaccess Configuration

The .htaccess file tells Apache to use basic authentication for a directory. Place this in the directory you want to protect:

# .htaccess — protect the entire directory
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/.htpasswd
Require valid-user

# Protect a specific file
<Files "admin.php">
  AuthType Basic
  AuthName "Admin Access"
  AuthUserFile /var/www/.htpasswd
  Require valid-user
</Files>

# Allow specific users only (not all valid users)
AuthType Basic
AuthName "Staging Environment"
AuthUserFile /var/www/.htpasswd
Require user admin editor

# Allow access from local network without password
AuthType Basic
AuthName "Protected Area"
AuthUserFile /var/www/.htpasswd
Require valid-user
Order allow,deny
Allow from 192.168.1.0/24
Satisfy Any

Nginx Basic Authentication Configuration

Nginx uses the same .htpasswd file format but different configuration syntax:

# nginx.conf — protect a location block
server {
    listen 443 ssl;
    server_name staging.example.com;

    location / {
        auth_basic "Staging Environment";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

    # Protect only the admin area
    location /admin {
        auth_basic "Admin Panel";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://localhost:3000;
    }

    # Allow health check endpoint without auth
    location /health {
        auth_basic off;
        return 200 "OK";
    }
}

Command-Line htpasswd Tool

The Apache htpasswd command-line tool creates and manages .htpasswd files. Here are the most useful commands:

# Create a new .htpasswd file with the first user (bcrypt)
htpasswd -cB /etc/apache2/.htpasswd admin

# Add a user to an existing file
htpasswd -B /etc/apache2/.htpasswd editor

# Add a user with MD5 hashing (for compatibility)
htpasswd -m /etc/apache2/.htpasswd viewer

# Update a user's password
htpasswd -B /etc/apache2/.htpasswd admin

# Delete a user
htpasswd -D /etc/apache2/.htpasswd viewer

# Verify a password (returns 0 if correct)
htpasswd -v /etc/apache2/.htpasswd admin

# Create entry without interactive prompt (for scripts)
htpasswd -bB /etc/apache2/.htpasswd deploy "$(cat /run/secrets/deploy_password)"

# Options reference:
# -c  Create new file (overwrites existing)
# -B  Use bcrypt hashing (recommended)
# -m  Use MD5/APR1 hashing
# -s  Use SHA-1 hashing
# -b  Read password from command line (use with caution)
# -D  Delete user
# -v  Verify password

Security Best Practices

Follow these guidelines to keep basic authentication secure:

# 1. Always use HTTPS — basic auth sends credentials in base64
# Without HTTPS, credentials are visible to network sniffers
server {
    listen 80;
    return 301 https://$host$request_uri;  # Force HTTPS
}

# 2. Store .htpasswd outside the web root
# Bad — accessible via HTTP
/var/www/html/.htpasswd

# Good — outside web root
/etc/apache2/.htpasswd
/var/www/.htpasswd  # one level above html/

# 3. Set correct file permissions
chmod 640 /etc/apache2/.htpasswd
chown root:www-data /etc/apache2/.htpasswd

# 4. Use strong passwords
# Minimum 12 characters, mix of uppercase, lowercase, numbers, symbols
# Example strong password: Tr0ub4dor&3

# 5. Limit failed login attempts (Apache mod_evasive)
<IfModule mod_evasive24.c>
    DOSHashTableSize    3097
    DOSPageCount        5
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

Frequently Asked Questions

Simply enter your data, click the process button, and get instant results. All processing happens in your browser for maximum privacy and security.

Yes! htpasswd Generator is completely free to use with no registration required. All processing is done client-side in your browser.

Absolutely! All processing happens locally in your browser. Your data never leaves your device, ensuring complete privacy and security.