htpasswd Generator

Create password lines for Apache .htpasswd files. Choose between bcrypt (recommended), APR1 (MD5), or SHA1. All hashing is done locally in your browser – your password never leaves your device.

10
≈ 0.1 s (est.)
Presets admin : password john : doe123 test : test alice : secure!@#
Privacy-first: All hashing is performed locally in your browser. Your username and password are never sent to any server. For bcrypt, we use the audited bcrypt.js library.
Apache HTTP Server Basic Authentication Password Hashing OWASP Guidelines

What is htpasswd?

htpasswd is a file format used by the Apache HTTP Server to store usernames and passwords for HTTP Basic Authentication. Each line contains a username and a password hash separated by a colon. The hash format is identified by a prefix: $2y$ for bcrypt, $apr1$ for Apache's MD5 variant, and {SHA} for SHA‑1. Apache uses this file to authenticate users requesting protected resources.

Line Format

username:hashed_password

Example: admin:$2y$10$N9qo8uLOickgx2ZMRZoMy.Mr/.PpE1xLZw5oV1Vm4pKtYdQ1N1S/q

Supported Hash Algorithms

Algorithm Prefix Security Level Apache Support
bcrypt $2y$ (or $2a$/$2b$) High – adaptive, recommended Apache 2.4+ (mod_authn_dbm, mod_authn_file with apr-util 1.5+)
APR1 (MD5) $apr1$ Medium – salted MD5 (Apache specific) All versions since Apache 1.3
SHA1 {SHA} Low – unsalted, fast to brute‑force Apache 2.0+ (mod_auth_basic with mod_authn_file)

Security Recommendations

  • Use bcrypt whenever possible: bcrypt includes a salt and an adaptive cost factor that makes brute‑force attacks exponentially harder. OWASP recommends bcrypt for password storage.
  • Cost factor selection: Choose a cost that results in ~0.2–0.5 seconds on your server. Cost 10 is a good starting point.
  • Avoid SHA1: It is unsalted and can be cracked quickly with modern hardware. Only use for legacy compatibility.
  • Use HTTPS: Basic Authentication sends the password in base64‑encoded form – always use HTTPS to protect it in transit.

How This Tool Works

All hash generation is performed client‑side using well‑audited libraries:

  • bcrypt: bcrypt.js (based on OpenBSD's implementation) with configurable cost.
  • APR1: A pure‑JavaScript implementation of Apache's MD5‑based algorithm (compatible with htpasswd -m). It generates a random 8‑character salt using crypto.getRandomValues for security.
  • SHA1: The password is hashed with the Web Crypto API (SHA‑1) and then base64‑encoded with the {SHA} prefix.

APR1 Implementation Details

The APR1 algorithm (also called "Apache MD5") is a custom construction based on MD5. It iterates 1000 times and produces a hash of the form $apr1$<salt>$<hash>. Our implementation follows the same logic used by the official Apache htpasswd utility.

Usage Example: Protecting a Directory

  1. Generate a line with this tool.
  2. Create a file .htpasswd in the directory you want to protect (outside web root for security).
  3. Add the generated line to the file (one per user).
  4. In your Apache configuration or .htaccess file, add: 
    AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
Case Study: Internal Development Site

A development team hosts a staging server with several internal tools. They use .htpasswd to restrict access to these tools. By switching from SHA1 to bcrypt (cost 12), they increased password cracking resistance without noticeable performance impact because the site has only a handful of users. The team uses this generator to onboard new developers quickly, ensuring each password is hashed with a unique salt.

Case Study: Legacy Migration

A company maintaining a legacy Apache server with hundreds of APR1 hashed passwords plans to migrate to bcrypt. They use this tool to test bcrypt generation and validate that Apache 2.4 with apr-util 1.5+ correctly recognizes bcrypt hashes. The migration improves security for user credentials.

Common Mistakes to Avoid

  1. Using weak algorithms: Avoid SHA1 for new deployments. Choose bcrypt.
  2. Setting cost too high: Cost 16 may cause unacceptable delays (up to 10 seconds) on slow servers.
  3. Storing .htpasswd inside the web root: Always place it outside the document root to prevent download.
  4. Forgetting to enable HTTPS: Basic Authentication without encryption exposes credentials in base64 (easily decoded).

About the Development Team – This tool was built by the GetZenQuery security group, referencing Apache documentation (Apache htpasswd manual) and OWASP guidelines on password storage. The APR1 implementation has been tested against hashes generated by the official htpasswd -m command for consistency.

Peer Reference: The bcrypt implementation uses the well‑audited bcrypt.js library, which is compatible with OpenBSD's bcrypt.

Frequently Asked Questions

bcrypt support was added in Apache 2.4 with apr-util 1.5 or later. Most modern Linux distributions include this. You can check by running httpd -V and verifying the APR version.

Yes, you can reuse the file across different virtual hosts or directories. Just ensure the file path in each AuthUserFile directive points to the same location.

Yes – all hashing is done locally in your browser. Your password never leaves your device. The page does not transmit any data to our servers.

Start with cost 10 and measure the time on your server. For most environments, 10–12 provides a good balance. Never go below 8.

Yes, our APR1 generator creates a random 8‑character salt using cryptographically secure random numbers. The official htpasswd command does the same.
References & Further Reading: Apache htpasswd Manual · OWASP Password Storage Cheat Sheet · Wikipedia: bcrypt · Apache Password Encryptions