.htpasswd Generator
Generate .htpasswd entries with bcrypt or MD5-APR1 in your browser. Used for HTTP Basic Authentication on Apache.
Runs entirely in your browser. Nothing is sent to our servers.
About this tool
Generates a single line for an Apache .htpasswd file —
username:hash — used for HTTP Basic Authentication. The
password is hashed entirely in your browser using the Web Crypto API for
SHA-1 and a pure-JS implementation for bcrypt and MD5-APR1. The password
itself is never transmitted to our servers.
Which algorithm?
- bcrypt is the modern default. Apache 2.4+ supports
it out of the box. Hash starts with
$2y$. - MD5-APR1 is Apache's traditional MD5-based crypt.
Hashes start with
$apr1$. Use when bcrypt isn't available on your server. - SHA-1 is plain SHA-1 with a
{SHA}prefix. Largely deprecated — only use for compatibility with very old systems that require it.
Where to put .htpasswd
Put it outside the document root if possible, so it can't
be downloaded as a static file. For example, if your site lives in
/var/www/example.com/public/, put
/var/www/example.com/.htpasswd. Reference its absolute path
in your AuthUserFile directive.
Frequently asked questions
- What's the bcrypt cost factor?
- This tool uses cost 10, which matches Apache's default. Higher costs make hashing slower (good for resisting brute force) but also slow down each authentication request. 10 is a reasonable balance.
- Why does my hash look different each time even with the same password?
- That's the salt working as intended. bcrypt and MD5-APR1 include a random salt in every hash, so the same password produces a different output every time. Apache still verifies them correctly.
- Can I have multiple users in one .htpasswd file?
- Yes — one user per line, in the format
username:hash. Generate each line with this tool and concatenate them. - Is my password sent anywhere?
- No. All hashing happens in your browser. The password and username never leave your device.
Last updated: May 17, 2026