HomeSecurity Tools › .htpasswd Generator

Free Online .htpasswd Generator

Generate password entries for Apache .htpasswd files. Enter a username and password to create SHA-1 hashed authentication entries for securing web directories.

1. Copy the generated line above.

2. Create or edit a file named .htpasswd on your server.

3. Paste the line into the file (one entry per line).

4. Create a .htaccess file in the directory to protect:

AuthType Basic\nAuthName "Restricted Area"\nAuthUserFile /full/path/to/.htpasswd\nRequire valid-user

What Is a .htpasswd File?

A .htpasswd file is used by the Apache web server to store usernames and encrypted passwords for HTTP Basic Authentication. When a directory is protected with .htpasswd, visitors must enter a valid username and password to access it. The file contains one entry per line in the format username:encrypted_password.

How This Tool Works

This tool generates .htpasswd entries using the SHA-1 hashing algorithm, which is supported by Apache's {SHA} scheme. The password is hashed using SHA-1 and encoded in Base64. While bcrypt ({$2y$}) is stronger, it cannot be computed client-side in the browser. For production servers handling sensitive data, consider using the htpasswd command-line tool with bcrypt support.

Setting Up Basic Authentication

To protect a directory, you need two files: .htpasswd (containing the credentials) and .htaccess (containing the authentication directives). Place the .htpasswd file outside your web root for security so it cannot be downloaded by visitors. The .htaccess file goes in the directory you want to protect and references the full server path to the .htpasswd file.

Related Tools

Password Generator Hash Generator SSL Checker

Frequently Asked Questions

Is SHA-1 secure enough for .htpasswd?
SHA-1 with {SHA} scheme provides basic security and is widely supported by Apache. For higher security, use bcrypt ({$2y$}) via the command-line htpasswd tool. SHA-1 htpasswd is acceptable for non-critical directories but not recommended for highly sensitive areas.
Where should I place the .htpasswd file?
Place the .htpasswd file outside your web-accessible root directory (public_html or www). This prevents visitors from downloading the file directly. For example, if your site is at /var/www/html, place .htpasswd at /var/www/.htpasswd.
Can I have multiple users?
Yes. Add one username:password line per user in the .htpasswd file. Each user will be able to log in with their own credentials. You can also use Require user username1 username2 in .htaccess to limit access to specific users.
Does this work with Nginx?
Nginx supports Basic Authentication using a similar password file format but configured differently. Use auth_basic and auth_basic_user_file directives in your Nginx config. The SHA-1 format generated here is compatible with Nginx.
Is my password sent to any server?
No. The SHA-1 hash is computed entirely in your browser using the Web Crypto API. Your username and password never leave your device. Always generate passwords over a secure connection nonetheless.