ToolBelt

htpasswd Entry Generator

Generate APR1-MD5 or SHA-1 entries for .htpasswd files.

Open tool

Overview

Enter a username and password and get a username:hash line suitable for an Apache or nginx .htpasswd file. Pick between APR1-MD5 (Apache's default), bcrypt (most secure), or SHA-1 (legacy compatibility) when generating the hash.

It's for sysadmins and developers protecting an admin route or staging environment with HTTP Basic Auth. Reach for it when standing up a quick password gate without dragging in an SSO provider, rotating credentials for a maintenance interface, or scripting an htpasswd bootstrap for a Docker image.

How it works

The .htpasswd format is simply user:hash, one user per line. The hash algorithm is identified by a prefix in the hash string: $apr1$ for Apache's MD5 variant, $2y$ for bcrypt, {SHA} for SHA-1 followed by Base64.

APR1-MD5 (Apache's custom MD5) iterates MD5 with a salt 1000 times, generating output compatible with the htpasswd CLI tool's default. Bcrypt uses adjustable work factors (10-12 typical) and is the recommended choice for new deployments. SHA-1 is unsalted Base64 and is kept only for legacy interop.

Examples

  • bcrypt entry (recommended): 
    admin:$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
  • APR1-MD5 (Apache default): 
    admin:$apr1$abcd1234$xKxJzpPjPx0sJyqYpQ6Hw1
  • SHA-1 (legacy): 
    admin:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
  • Apache config using the file: 
    AuthType Basic
AuthName "Restricted"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

FAQ

Which hash should I pick?

Bcrypt - it has tunable work factor and is the most resistant to brute force. APR1-MD5 is acceptable for low-risk endpoints. Avoid SHA-1 unless your server doesn't support anything stronger.

Does nginx support all three?

Nginx via auth_basic_user_file supports APR1-MD5 and SHA-1 natively, and bcrypt on Linux when built against modern crypto. APR1-MD5 is the safest cross-server bet.

Is HTTP Basic Auth secure?

The password is sent on every request in Base64 (effectively plaintext). Only use it over HTTPS, and rotate passwords regularly. For anything sensitive, prefer a real auth layer.

How do I add another user to the same file?

Generate a new entry and append it as an additional line. The file stores one user per line; the hash algorithm can differ per line.

Try htpasswd Entry Generator

An unhandled error has occurred. Reload ×