htpasswd Generator
Generate htpasswd entries for nginx auth_basic, Apache .htaccess, and Caddy. APR1 is the htpasswd default and what nginx accepts. Runs entirely in your browser.
Scheme
| Username | Password | Line | |
|---|---|---|---|
|
bcrypt note. APR1 is the htpasswd default but is MD5-based. For maximum security use
htpasswd -B on the command line — bcrypt support requires a large WASM dependency that we don't ship. SHA1 and plain are insecure and only listed for legacy compatibility.About htpasswd Generator
Generate htpasswd entries for nginx, Apache .htaccess, and Caddy basic authentication. Supports APR1 (the htpasswd default, compatible with nginx), SHA1 (legacy), and plain (testing only). Multiple users can be added in one session and the complete.htpasswd file is available to copy or download.
Pipeline
- Nginx Config Builder — generate the nginx config that references your .htpasswd file.
- Password Generator — generate a strong password, then pipe it here to hash it.
Frequently asked
- What is htpasswd?
- htpasswd is the file format used by Apache HTTP Server and nginx for HTTP Basic Authentication. Each line contains a username and a hashed password separated by a colon. The server reads this file to verify credentials when a protected resource is requested.
- What is APR1 and why is it the default?
- APR1 ($apr1$) is the Apache MD5 crypt algorithm — an iterated MD5 hash with a random salt. It is the default format produced by the htpasswd command-line tool and is supported by both Apache and nginx. It is more resistant to brute-force than plain MD5 but weaker than bcrypt. For new deployments, bcrypt is recommended if your server supports it.
- Why is bcrypt not available in this tool?
- A correct bcrypt implementation requires a large WASM dependency (~300 KB) that would significantly increase the page load time. For bcrypt, use the htpasswd command-line tool: htpasswd -B -c .htpasswd username. The -B flag selects bcrypt.
- How do I use the generated file with nginx?
- Save the output as .htpasswd in a directory accessible to nginx (not inside the web root). In your nginx config, add: auth_basic "Restricted"; auth_basic_user_file /path/to/.htpasswd; inside the location block you want to protect. Reload nginx after making changes.
- Is it safe to generate passwords in this tool?
- The hashing runs entirely in your browser using the Web Crypto API (for SHA-1) and a hand-rolled APR1 implementation. Your passwords are never transmitted. That said, for production credentials, generate passwords with a dedicated password manager and use bcrypt via the command line.