) is the most secure option currently supported — it's computationally expensive by design, making brute force impractical. APR-MD5 (`$apr1
.htpasswd Generator - Apache Password Tool | TooliaVerse
) is widely supported but MD5 is now fast enough that brute force attacks are feasible on weak passwords. SHA-1 (`{SHA}`) is insecure for password storage (too fast). Plaintext is never appropriate. Use bcrypt with a cost factor of 10 or higher for new deployments."}},{"@type":"Question","name":"Why is HTTP Basic Auth only safe with HTTPS?","acceptedAnswer":{"@type":"Answer","text":"HTTP Basic Auth sends the password as `Base64(username:password)` in the Authorization header. Base64 is not encryption — it's trivially reversible. Anyone observing the HTTP traffic (on the same network, a coffee shop Wi-Fi, etc.) can decode the Base64 and read the password in plaintext. Over HTTPS, the TLS layer encrypts the entire HTTP request including headers, making the credentials invisible to observers. Never use HTTP Basic Auth over plain HTTP."}},{"@type":"Question","name":"How many users can a .htpasswd file support?","acceptedAnswer":{"@type":"Answer","text":"The `.htpasswd` file is a linear format with no indexing. Apache reads the entire file sequentially on every authentication request. For small numbers of users (up to a few hundred), this is fine. For larger user bases, performance degrades — Apache recommends using a database-backed authentication module (mod_authn_dbd) for files larger than a few thousand users. Each line in the file is `username:hash\n` with no maximum defined, but practical limits apply."}},{"@type":"Question","name":"What is the difference between Apache .htpasswd and Nginx auth_basic?","acceptedAnswer":{"@type":"Answer","text":"Nginx supports the same `.htpasswd` file format for `auth_basic` authentication. Nginx reads the file using the `auth_basic_user_file` directive. Both support bcrypt, APR-MD5, SHA, and crypt hash formats. The file format is identical — a `.htpasswd` file generated for Apache works with Nginx and vice versa. The difference is in how each server is configured to use it (`.htaccess` for Apache, `auth_basic` directive for Nginx)."}}]}]
.htpasswd Generator
Generate .htpasswd entries with SHA1-based password hashing
What is it and how does it work?
The `.htpasswd` file is a flat-file database used by Apache HTTP Server (and Nginx, when configured to use `auth_basic`) to store usernames and hashed passwords for HTTP Basic Authentication. Each line in the file contains a username and a hashed password separated by a colon: `username:$apr1$Xx7y9a.$hashedpassword`. The file supports multiple password hashing schemes: MD5 (APR-MD5, `$apr1
.htpasswd Generator - Apache Password Tool | TooliaVerse.htpasswd Generator - Apache Password Tool | TooliaVerse
) is the most secure option currently supported — it's computationally expensive by design, making brute force impractical. APR-MD5 (`$apr1
.htpasswd Generator - Apache Password Tool | TooliaVerse
) is widely supported but MD5 is now fast enough that brute force attacks are feasible on weak passwords. SHA-1 (`{SHA}`) is insecure for password storage (too fast). Plaintext is never appropriate. Use bcrypt with a cost factor of 10 or higher for new deployments."}},{"@type":"Question","name":"Why is HTTP Basic Auth only safe with HTTPS?","acceptedAnswer":{"@type":"Answer","text":"HTTP Basic Auth sends the password as `Base64(username:password)` in the Authorization header. Base64 is not encryption — it's trivially reversible. Anyone observing the HTTP traffic (on the same network, a coffee shop Wi-Fi, etc.) can decode the Base64 and read the password in plaintext. Over HTTPS, the TLS layer encrypts the entire HTTP request including headers, making the credentials invisible to observers. Never use HTTP Basic Auth over plain HTTP."}},{"@type":"Question","name":"How many users can a .htpasswd file support?","acceptedAnswer":{"@type":"Answer","text":"The `.htpasswd` file is a linear format with no indexing. Apache reads the entire file sequentially on every authentication request. For small numbers of users (up to a few hundred), this is fine. For larger user bases, performance degrades — Apache recommends using a database-backed authentication module (mod_authn_dbd) for files larger than a few thousand users. Each line in the file is `username:hash\n` with no maximum defined, but practical limits apply."}},{"@type":"Question","name":"What is the difference between Apache .htpasswd and Nginx auth_basic?","acceptedAnswer":{"@type":"Answer","text":"Nginx supports the same `.htpasswd` file format for `auth_basic` authentication. Nginx reads the file using the `auth_basic_user_file` directive. Both support bcrypt, APR-MD5, SHA, and crypt hash formats. The file format is identical — a `.htpasswd` file generated for Apache works with Nginx and vice versa. The difference is in how each server is configured to use it (`.htaccess` for Apache, `auth_basic` directive for Nginx)."}}]}]
), bcrypt (`$2y
.htpasswd Generator - Apache Password Tool | TooliaVerse.htpasswd Generator - Apache Password Tool | TooliaVerse
) is the most secure option currently supported — it's computationally expensive by design, making brute force impractical. APR-MD5 (`$apr1
.htpasswd Generator - Apache Password Tool | TooliaVerse
) is widely supported but MD5 is now fast enough that brute force attacks are feasible on weak passwords. SHA-1 (`{SHA}`) is insecure for password storage (too fast). Plaintext is never appropriate. Use bcrypt with a cost factor of 10 or higher for new deployments."}},{"@type":"Question","name":"Why is HTTP Basic Auth only safe with HTTPS?","acceptedAnswer":{"@type":"Answer","text":"HTTP Basic Auth sends the password as `Base64(username:password)` in the Authorization header. Base64 is not encryption — it's trivially reversible. Anyone observing the HTTP traffic (on the same network, a coffee shop Wi-Fi, etc.) can decode the Base64 and read the password in plaintext. Over HTTPS, the TLS layer encrypts the entire HTTP request including headers, making the credentials invisible to observers. Never use HTTP Basic Auth over plain HTTP."}},{"@type":"Question","name":"How many users can a .htpasswd file support?","acceptedAnswer":{"@type":"Answer","text":"The `.htpasswd` file is a linear format with no indexing. Apache reads the entire file sequentially on every authentication request. For small numbers of users (up to a few hundred), this is fine. For larger user bases, performance degrades — Apache recommends using a database-backed authentication module (mod_authn_dbd) for files larger than a few thousand users. Each line in the file is `username:hash\n` with no maximum defined, but practical limits apply."}},{"@type":"Question","name":"What is the difference between Apache .htpasswd and Nginx auth_basic?","acceptedAnswer":{"@type":"Answer","text":"Nginx supports the same `.htpasswd` file format for `auth_basic` authentication. Nginx reads the file using the `auth_basic_user_file` directive. Both support bcrypt, APR-MD5, SHA, and crypt hash formats. The file format is identical — a `.htpasswd` file generated for Apache works with Nginx and vice versa. The difference is in how each server is configured to use it (`.htaccess` for Apache, `auth_basic` directive for Nginx)."}}]}]
), SHA-1 (`{SHA}`), and plaintext (not recommended). Apache's `htpasswd` command-line tool generates and manages these files.
This tool generates `.htpasswd` entries without needing the Apache `htpasswd` utility installed, supporting all common hash formats. It also validates existing `.htpasswd` files for syntax correctness. HTTP Basic Authentication sends credentials as Base64-encoded username:password in the Authorization header — it's only secure over HTTPS, as Base64 is trivially reversible.
Common use cases
Nginx Basic Auth: protect a staging environment by generating a `.htpasswd` file and configuring Nginx with `auth_basic "Staging"; auth_basic_user_file /etc/nginx/.htpasswd;`.
Apache directory protection: add a `.htpasswd` file and an `.htaccess` file with `AuthType Basic`, `AuthUserFile /path/to/.htpasswd`, `Require valid-user` to password-protect a directory.
API endpoint protection: use HTTP Basic Auth as a simple protection layer for internal APIs, combined with HTTPS and IP restrictions.
Frequently asked questions
Which hash format should I use in .htpasswd files?
bcrypt (`$2y
.htpasswd Generator - Apache Password Tool | TooliaVerse.htpasswd Generator - Apache Password Tool | TooliaVerse
) is the most secure option currently supported — it's computationally expensive by design, making brute force impractical. APR-MD5 (`$apr1
.htpasswd Generator - Apache Password Tool | TooliaVerse
) is widely supported but MD5 is now fast enough that brute force attacks are feasible on weak passwords. SHA-1 (`{SHA}`) is insecure for password storage (too fast). Plaintext is never appropriate. Use bcrypt with a cost factor of 10 or higher for new deployments."}},{"@type":"Question","name":"Why is HTTP Basic Auth only safe with HTTPS?","acceptedAnswer":{"@type":"Answer","text":"HTTP Basic Auth sends the password as `Base64(username:password)` in the Authorization header. Base64 is not encryption — it's trivially reversible. Anyone observing the HTTP traffic (on the same network, a coffee shop Wi-Fi, etc.) can decode the Base64 and read the password in plaintext. Over HTTPS, the TLS layer encrypts the entire HTTP request including headers, making the credentials invisible to observers. Never use HTTP Basic Auth over plain HTTP."}},{"@type":"Question","name":"How many users can a .htpasswd file support?","acceptedAnswer":{"@type":"Answer","text":"The `.htpasswd` file is a linear format with no indexing. Apache reads the entire file sequentially on every authentication request. For small numbers of users (up to a few hundred), this is fine. For larger user bases, performance degrades — Apache recommends using a database-backed authentication module (mod_authn_dbd) for files larger than a few thousand users. Each line in the file is `username:hash\n` with no maximum defined, but practical limits apply."}},{"@type":"Question","name":"What is the difference between Apache .htpasswd and Nginx auth_basic?","acceptedAnswer":{"@type":"Answer","text":"Nginx supports the same `.htpasswd` file format for `auth_basic` authentication. Nginx reads the file using the `auth_basic_user_file` directive. Both support bcrypt, APR-MD5, SHA, and crypt hash formats. The file format is identical — a `.htpasswd` file generated for Apache works with Nginx and vice versa. The difference is in how each server is configured to use it (`.htaccess` for Apache, `auth_basic` directive for Nginx)."}}]}]
) is the most secure option currently supported — it's computationally expensive by design, making brute force impractical. APR-MD5 (`$apr1
.htpasswd Generator - Apache Password Tool | TooliaVerse.htpasswd Generator - Apache Password Tool | TooliaVerse
) is the most secure option currently supported — it's computationally expensive by design, making brute force impractical. APR-MD5 (`$apr1
.htpasswd Generator - Apache Password Tool | TooliaVerse
) is widely supported but MD5 is now fast enough that brute force attacks are feasible on weak passwords. SHA-1 (`{SHA}`) is insecure for password storage (too fast). Plaintext is never appropriate. Use bcrypt with a cost factor of 10 or higher for new deployments."}},{"@type":"Question","name":"Why is HTTP Basic Auth only safe with HTTPS?","acceptedAnswer":{"@type":"Answer","text":"HTTP Basic Auth sends the password as `Base64(username:password)` in the Authorization header. Base64 is not encryption — it's trivially reversible. Anyone observing the HTTP traffic (on the same network, a coffee shop Wi-Fi, etc.) can decode the Base64 and read the password in plaintext. Over HTTPS, the TLS layer encrypts the entire HTTP request including headers, making the credentials invisible to observers. Never use HTTP Basic Auth over plain HTTP."}},{"@type":"Question","name":"How many users can a .htpasswd file support?","acceptedAnswer":{"@type":"Answer","text":"The `.htpasswd` file is a linear format with no indexing. Apache reads the entire file sequentially on every authentication request. For small numbers of users (up to a few hundred), this is fine. For larger user bases, performance degrades — Apache recommends using a database-backed authentication module (mod_authn_dbd) for files larger than a few thousand users. Each line in the file is `username:hash\n` with no maximum defined, but practical limits apply."}},{"@type":"Question","name":"What is the difference between Apache .htpasswd and Nginx auth_basic?","acceptedAnswer":{"@type":"Answer","text":"Nginx supports the same `.htpasswd` file format for `auth_basic` authentication. Nginx reads the file using the `auth_basic_user_file` directive. Both support bcrypt, APR-MD5, SHA, and crypt hash formats. The file format is identical — a `.htpasswd` file generated for Apache works with Nginx and vice versa. The difference is in how each server is configured to use it (`.htaccess` for Apache, `auth_basic` directive for Nginx)."}}]}]
) is widely supported but MD5 is now fast enough that brute force attacks are feasible on weak passwords. SHA-1 (`{SHA}`) is insecure for password storage (too fast). Plaintext is never appropriate. Use bcrypt with a cost factor of 10 or higher for new deployments.
Why is HTTP Basic Auth only safe with HTTPS?
HTTP Basic Auth sends the password as `Base64(username:password)` in the Authorization header. Base64 is not encryption — it's trivially reversible. Anyone observing the HTTP traffic (on the same network, a coffee shop Wi-Fi, etc.) can decode the Base64 and read the password in plaintext. Over HTTPS, the TLS layer encrypts the entire HTTP request including headers, making the credentials invisible to observers. Never use HTTP Basic Auth over plain HTTP.
How many users can a .htpasswd file support?
The `.htpasswd` file is a linear format with no indexing. Apache reads the entire file sequentially on every authentication request. For small numbers of users (up to a few hundred), this is fine. For larger user bases, performance degrades — Apache recommends using a database-backed authentication module (mod_authn_dbd) for files larger than a few thousand users. Each line in the file is `username:hash
` with no maximum defined, but practical limits apply.
What is the difference between Apache .htpasswd and Nginx auth_basic?
Nginx supports the same `.htpasswd` file format for `auth_basic` authentication. Nginx reads the file using the `auth_basic_user_file` directive. Both support bcrypt, APR-MD5, SHA, and crypt hash formats. The file format is identical — a `.htpasswd` file generated for Apache works with Nginx and vice versa. The difference is in how each server is configured to use it (`.htaccess` for Apache, `auth_basic` directive for Nginx).