htpasswd Generator

Generate Apache htpasswd password hashes online. Supports bcrypt, MD5 (APR1), SHA1, and plaintext. All hashing done client-side — passwords never leave your browser. Free, no signup.

100% Client-Side Your data never leaves your browser Free · No Sign-Up
All hashing is done 100% in your browser. Passwords never leave this page.
Batch mode One user:password per line

Related Tools

Hash Generator Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text. Password Generator Generate cryptographically secure passwords. Customize length and character sets with entropy meter. RSA Key Pair Generator Generate RSA key pairs (2048/4096-bit) in PEM or JWK format. 100% client-side — keys never leave your browser. AES Encrypt / Decrypt Encrypt and decrypt text using AES-GCM with a user-supplied password. 100% client-side via Web Crypto API — nothing leaves your browser. JSON Formatter Prettify, minify, and validate JSON instantly in your browser. Base64 Encode / Decode Encode text to Base64 or decode Base64 back to plain text.

How to Use

  1. Enter a Username and Password, or click Generate to create a random password.
  2. Select an Algorithm (bcrypt is recommended).
  3. If using bcrypt, adjust the cost factor (higher = more secure but slower).
  4. Click Generate htpasswd line.
  5. Copy the result and add it to your .htpasswd file.

Algorithm Comparison

AlgorithmFormat prefixSecurityNotes
bcrypt$2y$ExcellentRecommended for all new deployments
MD5 (APR1)$apr1$ModerateApache-specific MD5 variant with salt
SHA1{SHA}WeakNo salt; vulnerable to rainbow tables
Plaintext(none)NoneFor testing only — never use in production

Apache Configuration Example

# .htaccess
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

Batch Mode

Enter multiple user:password pairs (one per line) in the Batch mode section and click Generate batch to produce an entire .htpasswd file at once.

Security Notes

  • Always store .htpasswd outside your document root so it cannot be served directly.
  • Prefer bcrypt with cost ≥ 10 for production servers.
  • Regenerate hashes if a password is compromised — there is no way to reverse a bcrypt hash.

FAQ

What is an htpasswd file?

An htpasswd file is used by Apache HTTP Server (and nginx via htpasswd modules) to store username and hashed password pairs for HTTP Basic Authentication. Each line has the format username:hashed_password.

Which algorithm should I use?

Use bcrypt (the default). It is the most secure option because it has a configurable cost factor that slows down brute-force attacks. MD5 (APR1) is still widely used but weaker. SHA1 and plaintext are insecure and should be avoided for new deployments.

What is the bcrypt cost factor?

The cost factor (4–12) controls how many rounds of computation are used. Higher values take longer to compute, making brute-force attacks more expensive. The default of 10 is a good balance between security and server performance.

Are my passwords sent to a server?

No. All hashing — including bcrypt — runs entirely in your browser using JavaScript. Your passwords never leave this page.

What is batch mode?

Batch mode lets you generate htpasswd lines for multiple user:password pairs at once. Enter one pair per line (colon-separated) and click Generate batch.

How do I use the generated htpasswd line?

Copy the generated line and append it to your .htpasswd file, or use it as the file contents. In Apache, point to the file with AuthUserFile and set AuthType Basic.