.htpasswd Generator
Generate secure password hashes for Apache .htaccess basic authentication locally in your browser.
.htpasswd Generator
Secure password hashing for Apache HTTP authentication
100% Client-Side Security
Your passwords never leave your browser. All hashing is performed locally using bcryptjs and pure JavaScript implementations. No data is sent to any server.
Apache 2.4+ default. Most secure.
Apache 2.2 compatible. Moderate security.
Legacy format. Not recommended.
Oldest format. Extremely weak.
What Is Apache HTTP Basic Authentication?
HTTP Basic Authentication is a simple access control mechanism built into the Apache web server. When enabled for a directory, Apache prompts anyone trying to access it with a username and password dialog. Only users with valid credentials stored in the.htpasswd file can proceed. It is a quick and effective way to protect staging environments, admin panels, or private content without building a full login system.
The credentials are stored in an .htpasswd file where passwords are saved as cryptographic hashes — not plain text. This generator creates those hashes securely in your browser so the password never travels to a server.
How to Set Up .htaccess Password Protection
- Generate a username and hashed password using this tool.
- Create a file named
.htpasswdon your server and paste the output line:username:$2y$10$hashedpasswordhere
- Create or edit the
.htaccessfile in the directory you want to protect:AuthType Basic AuthName "Restricted Area" AuthUserFile /full/server/path/to/.htpasswd Require valid-user - Upload both files to your server. The directory is now password protected.
Which Hash Algorithm to Choose?
- Bcrypt — Recommended. Specifically designed for password hashing, computationally expensive to brute force, and supported by Apache 2.4+.
- SHA1 — Older, fast, and therefore weaker against brute force attacks. Acceptable for low-security internal use only.
- MD5 (APR1) — The Apache-specific MD5 variant. More secure than plain MD5 but still weaker than Bcrypt. Widely supported across hosting providers.
Use Bcrypt whenever your Apache version supports it. It is the industry standard for password hashing and protects against brute force and rainbow table attacks far better than older algorithms.
Knowledge Base
An .htpasswd Generator creates the necessary hashed password strings required by Apache web servers to implement HTTP Basic Authentication. It restricts access to specific directories by requiring a username and password.
- 1Enter a username and a strong password.
- 2Select the hashing algorithm (Bcrypt is recommended for Apache 2.4+).
- 3Click 'Generate Hash' to create the .htpasswd entry.
- 4Download the .htpasswd file or copy the string to your existing file.
- 5Copy the .htaccess configuration snippet to the directory you want to protect.
Most online generators send your password to a server, which is a security risk. Our tool hashes everything 100% client-side. It also provides a one-click download for the .htpasswd file and auto-generates the required .htaccess code snippet, making setup foolproof.
Which algorithm should I choose?
Always choose Bcrypt if you are using Apache 2.4 or newer. It is highly secure against brute-force attacks. Use MD5 only for older Apache 2.2 servers. Avoid SHA1 as it is insecure.
Where should I place the .htpasswd file?
Never place it in the public web root (public_html or www). Place it in a directory above the web root so it cannot be downloaded by visitors.
What does 'AuthUserFile' path mean in the config?
It is the absolute server path to your .htpasswd file, not a URL. You need to change '/path/to/your/.htpasswd' to the actual file path on your hosting server.