HTPASSWD Generator Online: Create Apache and Nginx Auth Files (Free)

Generate htpasswd entries for Apache basic authentication. Supports bcrypt, MD5, and SHA1 hashing. 100% client side.

Username

Password

Generated htpasswd entry

Enter username and password above

About htpasswd

htpasswd files store username:password pairs for Apache HTTP Basic Authentication. The password is hashed using APR1-MD5 by default.

Usage in Apache

# .htaccess
AuthType Basic
AuthName "Restricted"
AuthUserFile /path/to/.htpasswd
Require valid-user

Related Tools

htpasswd in 2026: Still Useful, Still Misused

Apache's .htpasswd file is the original lightweight authentication mechanism — a flat file mapping usernames to hashed passwords, used by Apache and Nginx for basic-auth on directories or admin pages. It's older than HTTPS itself, has a tarnished reputation, and yet still ships on millions of servers. Used correctly it's fine for simple cases; used incorrectly it's a credential leak waiting to happen.

The hash formats you'll see

bcrypt ($2y$10$...) — the modern default. Use this for new files.
SHA1 ({SHA}...) — fast but not salted. Avoid for new files; common in legacy.
APR1 / MD5 ($apr1$...) — Apache's own salted MD5. Better than plain MD5 but weaker than bcrypt.
CRYPT (no prefix, 13 chars) — DES-based, only supports the first 8 chars of the password. Truly legacy.

Pick bcrypt unless you're integrating with something that doesn't support it.

When htpasswd is fine

A small admin page or staging environment.
Static-site preview URLs with one or two reviewers.
An infrequently-changed list of fewer than 50 users.
Reverse-proxy gates in front of internal dashboards.

When to graduate

Anything user-facing, anything with self-service signup, anything with role-based permissions, anything subject to compliance — use a real auth provider (Auth0, Cognito, Keycloak, your own SSO). Basic-auth has no logout, no MFA, no password reset, and credentials are sent on every request. For B2B SaaS, see our SAML vs OIDC vs OAuth2 comparison.

Common pitfalls

Storing the file inside the web root. A misconfigured server serves /.htpasswd directly. Always put it outside the document root or block via config.
Plain HTTP. Basic-auth sends credentials base64-encoded (not encrypted) on every request. Without TLS, every coffee-shop wifi listener has them.
Reusing one password for everyone. Defeats the purpose. One account per human.
No rate limiting. Most basic-auth setups have no lockout — credential stuffing is uncapped.
Committing to git. Even hashed credentials are crackable offline. Don't.

This generator computes hashes locally; usernames and passwords stay in your browser. For real production credential stores, use a database with proper bcrypt rounds and audit logging.

Frequently Asked Questions

Should I use bcrypt or APR1 for htpasswd?

bcrypt. APR1 (Apache MD5) is acceptable for legacy compatibility but weaker against modern cracking hardware.

Does Nginx support htpasswd files?

Yes — Nginx reads the same format with the auth_basic and auth_basic_user_file directives.

How do I add a user to an existing htpasswd file?

On the CLI, "htpasswd -B file username". Without -c so you don't overwrite. -B forces bcrypt.

Is basic-auth secure enough for production admin pages?

Only when combined with TLS, IP allowlisting, MFA at a higher layer, and rate limiting. Otherwise upgrade to a proper auth system.