Developer Tools
.htpasswd File Generator
Generate .htpasswd files for Apache and Nginx Basic Authentication securely in your browser. Supports bcrypt, APR1-MD5, and SHA-1. Passwords are never sent to the server.
Tips
- Use bcrypt: The most secure algorithm available. Works with Apache 2.4+ and Nginx. Higher cost values slow down hashing and increase resistance to brute-force attacks (10 is a common default).
- APR1-MD5 (
$apr1$) is for compatibility with Apache 2.2 or older. It works with virtually all Apache and Nginx versions. - SHA-1 (
{SHA}) has low collision resistance and is not recommended. Use it only in legacy environments that require backward compatibility. - Place the .htpasswd file outside the
DocumentRoot(or Nginx's web root) so that it cannot be accessed directly over the web. - Always use HTTPS. Basic Authentication credentials are only Base64-encoded, not encrypted — they travel in plain text over HTTP.
FAQ
.htaccess or httpd.conf, pointing AuthUserFile at your generated .htpasswd file:AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/.htpasswd Require valid-user
nginx.conf or the relevant server block:location /admin {
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}Nginx supports both bcrypt and APR1-MD5.username:hash) to the end of your existing file. Each line represents one user. Blank lines and lines starting with # are ignored.
Side Note — Why Basic Auth survives despite its age
HTTP Basic Authentication was defined in 1999 by RFC 2617 (later updated to RFC 7617). The mechanism is simple: concatenate username and password with :, Base64-encode the result, and send it in the Authorization header.
Its simplicity is exactly why it's still widely used. It's a go-to for staging environments, internal tools, or as a first line of defense combined with IP allowlisting. Two or three config lines are all you need — no extra middleware or database required.
The caveats are real, though: no logout mechanism (the session persists until the browser is closed), no built-in password expiry, and no multi-factor authentication. For production services with genuine security requirements, consider OAuth 2.0 or OIDC instead.