htpasswd Generator

What is htpasswd Generator?

The htpasswd Generator is a free in-browser tool for creating credentials used by HTTP Basic Authentication. System administrators and web developers use it to protect a directory or admin panel behind a username and password without installing the Apache htpasswd command-line utility. It produces a single user:hash line you append to a .htpasswd file, choosing bcrypt (the strongest, $2y$ format), APR1 (Apache's portable MD5, $apr1$ format), or SHA-1 (SHA format). It also derives the corresponding Authorization: Basic header so you can test the same credentials with curl or a REST client. The bcrypt cost factor is configurable in Settings for stronger or faster hashing.

How to use htpasswd Generator

1. Enter the username that will log in.
2. Type the password to protect the account; it stays in this field and is never sent anywhere.
3. Copy the Basic Authorization header right away if you only need it for an API request or curl test.
4. Open Settings to pick the hash algorithm (bcrypt, APR1, or SHA-1) and, for bcrypt, the cost factor.
5. Press Generate to compute the hashed .htpasswd line, then copy it into your server's .htpasswd file.

Examples

user: admin, password: s3cret, algorithm: bcrypt (cost 10)

admin:$2y$10$... (a 60-character bcrypt hash, random salt each time)

user: admin, password: s3cret

Basic YWRtaW46czNjcmV0

user: web, password: pass123, algorithm: APR1

web:$apr1$<salt>$<22-char hash>

Frequently asked questions

Is my password sent to a server?

No. Both the Basic header and the .htpasswd hash are computed entirely in your browser using the Web Crypto API and an in-browser WebAssembly hasher. Nothing is uploaded or stored on any server, so the tool works offline and your password never leaves the page.

Which hash should I choose?

Use bcrypt for new setups; it is the most resistant to cracking and is supported by modern Apache and nginx. APR1 ($apr1$) is Apache's portable MD5, useful for legacy configs. SHA-1 ({SHA}) is the weakest and best avoided unless a system specifically requires it.

Why does the Generate button take a moment?

bcrypt and APR1 are intentionally slow to resist brute-force attacks, and bcrypt also loads a small WebAssembly module on first use. A higher cost factor makes bcrypt slower but stronger. SHA-1 and the Basic header are instant.

Does it match the real htpasswd command?

Yes. bcrypt lines use the $2y$ prefix Apache expects, APR1 uses the standard $apr1$ format with a random salt, and SHA-1 uses the {SHA} scheme, all compatible with htpasswd-generated files.

Can I use this for nginx?

Yes. nginx's auth_basic_user_file reads the same .htpasswd format, so a bcrypt or APR1 line works directly. nginx does not support {SHA}, so pick bcrypt or APR1 for it.