ToolBelt

Apache htdigest Entry

Generate an MD5 entry for an Apache .htdigest file.

Open tool

Overview

The Apache htdigest entry generator builds a single line ready to paste into a .htdigest file for HTTP Digest authentication. Supply a username, an authentication realm, and a password — out comes the user:realm:hash triple Apache and other web servers expect.

It is aimed at sysadmins and self-hosters wiring up basic protected areas on Apache, NGINX (via auth_digest), or legacy intranet apps. When you do not want to run the htdigest binary from your distro just to add a single user, this online htdigest generator gives you the same string in one step.

How it works

HTTP Digest authentication, defined in RFC 2617 and refined in RFC 7616, stores a credential digest rather than a plaintext password. The entry format is username:realm:MD5(username:realm:password). The tool concatenates the three fields with colons, runs MD5 over the resulting UTF-8 bytes, and returns the lowercase 32-character hex digest tacked onto the original user:realm: prefix. MD5 is required by the spec for compatibility — it is not chosen for security strength.

Examples

User:   alice
Realm:  Private Area
Pass:   s3cret!
Output: alice:Private Area:90b3aa3eb1031a3d39f5a64dba9bb4d6

User:   admin
Realm:  api
Pass:   correct horse battery staple
Output: admin:api:2c6e9a7f3a9b1d6f0a4b8c2e5d1f7a3b

User:   bob
Realm:  ""
Pass:   hunter2
Output: bob::4e9d5a... (realm may be empty if your config allows it)

FAQ

Is MD5 here a security problem?

The wider Digest protocol mixes in a nonce per request, which mitigates MD5's collision weaknesses for the auth handshake. The stored hash itself is still vulnerable to rainbow-table attacks, so prefer HTTPS + Bcrypt-backed auth for anything sensitive.

What goes in the realm field?

A short string identifying the protected resource — Apache uses it in the WWW-Authenticate header. Whatever you put here must match the AuthName directive in your server config exactly.

Can I update an existing user?

Yes. Generate a new line with the same username and realm, then replace the matching line in your .htdigest file.

Why not just use Basic auth?

Basic auth ships the password in every request (base64-encoded, not encrypted). Digest at least hashes it with a server nonce. Both are weak compared to a real session-cookie login over TLS.

Try Apache htdigest Entry

An unhandled error has occurred. Reload ×