AI .htpasswd Generator — Secure Apache Password Files Made Easy

Published February 23, 2026 · 8 min read · Security

You need to password-protect a staging site, restrict access to an admin directory, or add basic authentication to an internal tool. The quickest way to do this on Apache or Nginx is with an .htpasswd file — a simple text file that stores usernames and hashed passwords. But generating properly hashed entries by hand is tedious and error-prone, especially when you need to choose the right hashing algorithm.

An .htpasswd generator takes the friction out of this process. Enter a username and password, select your preferred hash algorithm, and get a properly formatted entry ready to paste into your server configuration. No command-line tools to install, no syntax to memorize, and no risk of using a weak hashing algorithm by accident.

What Is an .htpasswd File?

An .htpasswd file is a flat text file used by Apache (and supported by Nginx) to store credentials for HTTP Basic Authentication. Each line contains a username and a hashed password separated by a colon:

admin:$apr1$xyz123$HashedPasswordString
developer:$2y$10$BcryptHashedPasswordString
readonly:{SHA}Base64EncodedSHA1Hash

When a user tries to access a protected resource, the server prompts for credentials via the browser's built-in authentication dialog. The server then hashes the provided password and compares it against the stored hash. If they match, access is granted.

The file is typically stored outside the web root (like /etc/apache2/.htpasswd) to prevent direct download. If it must live within the web root, your server configuration should explicitly deny access to it.

Choosing the Right Hash Algorithm

bcrypt — The Recommended Choice

bcrypt is the strongest option available for .htpasswd files. It uses a computationally expensive key derivation function with a configurable cost factor, making brute-force attacks impractical. Apache 2.4+ supports bcrypt natively with the $2y$ prefix. If your server supports it, always use bcrypt.

The cost factor (work factor) determines how many iterations the algorithm performs. A cost of 10 means 2^10 (1,024) iterations. Each increment doubles the computation time. For .htpasswd, a cost of 10-12 provides a good balance between security and login speed.

apr1 (Apache MD5) — The Legacy Default

Apache's custom MD5 variant ( $apr1$ ) has been the default for decades. It uses 1,000 iterations of MD5 with a salt, which was reasonable in the early 2000s but is weak by modern standards. GPU-based cracking tools can test billions of MD5 hashes per second. Use apr1 only when bcrypt is not available on your server.

SHA-1 — Avoid If Possible

The {SHA} prefix indicates a simple SHA-1 hash with no salt and no iterations. This is the weakest option and exists only for backward compatibility. A single SHA-1 hash can be cracked almost instantly with rainbow tables. Never use SHA-1 for new deployments. If you need to understand more about hash algorithms and their security implications, check our guide to hash generation.

crypt — The Unix Classic

Traditional Unix crypt uses DES-based hashing truncated to 8 characters. It is ancient, limited, and insecure. The only reason it still exists is compatibility with very old systems. Avoid it entirely.

Setting Up .htpasswd Authentication

Apache Configuration

To protect a directory with .htpasswd on Apache, you need two things: the password file and a configuration directive. You can use either the main server config or an .htaccess file:

# In .htaccess or Apache config
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

AuthName sets the realm name shown in the browser dialog. AuthUserFile must be an absolute path to your .htpasswd file. Require valid-user means any user in the file can access the resource. You can also restrict to specific users with Require user admin developer.

Nginx Configuration

Nginx supports .htpasswd files with a similar syntax:

location /admin {
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Nginx reads the same .htpasswd file format as Apache, so you can use the same generator for both servers. Note that Nginx supports bcrypt and apr1 but may not support all Apache-specific hash formats.

Setting Proper File Permissions

The .htpasswd file contains password hashes, so it must have restrictive permissions. On Linux, set it to be readable only by the web server user:

# Set ownership to web server user
chown www-data:www-data /etc/apache2/.htpasswd

# Restrict permissions
chmod 640 /etc/apache2/.htpasswd

For more on Unix file permissions and how to calculate them, see our chmod calculator guide.

Security tip: Never store .htpasswd files in a publicly accessible directory without explicit deny rules. If someone downloads your .htpasswd file, they can attempt offline brute-force attacks against the password hashes. Using bcrypt with a high cost factor makes this significantly harder.

When to Use .htpasswd Authentication

.htpasswd is ideal for:

Staging and development sites — keep pre-launch sites away from search engines and the public
Internal tools and dashboards — quick protection for tools that do not need a full auth system
Temporary access control — restrict access during maintenance windows
Static file protection — password-protect downloadable files or documentation
Additional security layer — add basic auth in front of an application's own login page

However, .htpasswd is not suitable for:

User-facing authentication — the browser dialog is ugly and provides no logout mechanism
Large numbers of users — managing hundreds of entries in a flat file is impractical
Fine-grained permissions — .htpasswd only supports allow/deny, not roles or permissions
High-security applications — Basic Auth sends credentials with every request (base64-encoded, not encrypted without HTTPS)

Generating .htpasswd Entries from the Command Line

If you prefer the terminal, Apache provides the htpasswd utility:

# Create a new file with bcrypt
htpasswd -cB /etc/apache2/.htpasswd admin

# Add a user to existing file with bcrypt
htpasswd -B /etc/apache2/.htpasswd newuser

# Use apr1 (MD5) instead
htpasswd -m /etc/apache2/.htpasswd user2

# Generate hash without updating file (print to stdout)
htpasswd -nbB admin mypassword

The -c flag creates a new file (overwrites existing), -B uses bcrypt, -m uses MD5, and -n prints to stdout. For strong passwords to use with your .htpasswd entries, try our AI password generator.

Security Considerations

HTTP Basic Authentication has inherent limitations you should understand:

Always use HTTPS — Basic Auth sends credentials as base64 (trivially decoded) with every request. Without TLS encryption, credentials are sent in plain text. Verify your SSL certificate is properly configured before enabling Basic Auth.
No session management — the browser caches credentials and sends them with every request until the browser is closed. There is no logout button.
Brute-force vulnerability — without rate limiting, attackers can try thousands of password combinations. Consider adding fail2ban or similar protection.
Credential caching — browsers cache Basic Auth credentials aggressively. Changing a password requires users to clear their browser cache or restart the browser.

Wrapping Up

.htpasswd authentication is one of those tools that every developer should know how to set up. It is not the right solution for everything, but for quick, reliable access control on Apache and Nginx servers, nothing beats its simplicity. The key is choosing the right hash algorithm (bcrypt), storing the file securely, and always using HTTPS.

A good .htpasswd generator eliminates the guesswork — you get properly formatted, securely hashed entries ready to deploy in seconds. No need to remember command-line flags or worry about accidentally using a weak algorithm.

Generate Secure .htpasswd Entries Instantly

bcrypt, apr1, SHA-1 — choose your algorithm, enter credentials, and get deployment-ready .htpasswd entries. All hashing runs in your browser.

Try the AI .htpasswd Generator →