htpasswd Generator
Generate Apache and Nginx basic authentication password entries. Supports SHA-1, Salted SHA-1, and APR1-MD5 algorithms. All hashing runs in your browser — your credentials never leave your device.
100% client-side. All hashing is performed locally in your browser using the Web Crypto API. Your passwords are never transmitted to any server.
User 1
Apache's APR1-MD5 variant. Uses 1000 rounds of MD5 with an 8-character random salt. Widely supported and more resistant to brute-force than SHA-1.
Apache (.htaccess)
AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/.htpasswd Require valid-user
Nginx (server block)
location /protected/ {
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}Apache VirtualHost (Directory block)
<Directory "/var/www/html/protected">
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>What is htpasswd?
The .htpasswd file is a flat-file credential store used by Apache HTTP Server and Nginx to implement HTTP Basic Authentication (RFC 7617). Each line contains a username and a hashed password separated by a colon: username:hashedpassword.
When a browser requests a protected resource, the server returns a 401 Unauthorized response with a WWW-Authenticate header. The browser prompts the user for credentials, then retransmits the request with an Authorization: Basic base64(username:password) header. The server hashes the supplied password and compares it against the stored hash.
Common use cases include protecting staging environments, internal dashboards, Jenkins or Grafana reverse-proxy fronts, and download areas. When configuring staging environments on NetOz hosting, a .htpasswd file placed in /etc/apache2/ or referenced via .htaccess provides a quick first line of defence before your application authentication layer.
htpasswd Hash Algorithms Compared
Choosing the right hash algorithm balances compatibility with older server versions against resistance to brute-force attacks.
| Algorithm | Format prefix | Salted | Notes |
|---|---|---|---|
| SHA-1 | {SHA} | No | Fast to compute; identical passwords produce identical hashes. Vulnerable to rainbow tables and GPU cracking. Avoid for sensitive data. |
| SSHA | {SSHA} | Yes (4 B) | SHA-1 with a random salt appended before hashing. Prevents rainbow table attacks. Better than plain SHA-1 but still fast to brute-force. |
| APR1-MD5 | $apr1$ | Yes (8 B) | Apache's modified MD5 variant. Performs 1000 rounds of MD5 to increase computation cost. Widely supported; a good default for most deployments. |
| Plain | — | No | Password stored in cleartext. Never use in any environment accessible to untrusted parties. Useful only for rapid local testing. |
For new deployments, prefer APR1-MD5 for broad Apache/Nginx compatibility, or use bcrypt (via the command-line htpasswd -B flag, Apache 2.4+) for stronger security. This tool generates APR1-MD5, SHA-1, and SSHA hashes fully in-browser using the Web Crypto API.
Setting Up Basic Authentication
Apache with .htaccess
Place your .htpasswd file outside the web root (e.g., /etc/apache2/.htpasswd) to prevent direct access. Then add an .htaccess file in the directory you want to protect:
AuthType Basic AuthName "Staging Environment" AuthUserFile /etc/apache2/.htpasswd Require valid-user
Ensure AllowOverride AuthConfig is set in your Apache VirtualHost or server config, otherwise the .htaccess directives will be silently ignored.
Nginx with auth_basic
Nginx reads .htpasswd files natively. The auth_basic_user_file directive points to the file. Note that Nginx supports only SHA-1 ({SHA}) and APR1-MD5 ($apr1$) — it does not support SSHA or bcrypt without the nginx-auth-ldap module.
server {
listen 443 ssl;
server_name staging.example.com;
location / {
auth_basic "Staging Environment";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:3000;
}
}For more advanced Nginx or Apache configurations, use our Web Server Config Generator to produce reverse proxy, load balancer, and SSL termination configs for Nginx, Apache, Caddy, and HAProxy.
Security Considerations
- 1Always serve basic-auth protected resources over HTTPS (TLS). Basic Auth transmits credentials as base64, not encryption — without TLS, credentials are exposed in transit.
- 2Store the .htpasswd file outside the document root so it cannot be downloaded directly by visitors.
- 3Prefer APR1-MD5 ($apr1$) over plain SHA-1 for new installations. The 1000-round key stretching significantly increases brute-force cost.
- 4Restrict the .htpasswd file permissions: chmod 640 .htpasswd and ensure the web server process user can read it but other system users cannot.
- 5Rotate passwords regularly and remove users who no longer require access by editing the .htpasswd file and deleting their line.
- 6For high-security scenarios, consider moving to OAuth2/OIDC or mutual TLS rather than relying solely on htpasswd.