Developer Utilities · Free tool
Htpasswd Generator
Generate .htpasswd lines for Apache + nginx Basic Auth. Browser-only SHA hashing. Includes nginx + Apache config snippets and curl example.
Type a password to see the .htpasswd line. Hashing happens in your browser — nothing's uploaded.
Use bcrypt for production
The {SHA} digest above is unsalted SHA-1 — fine for a small internal staging server, weak against offline brute-force on a public-facing site. For real production, generate the line via Apache's htpasswd -B -c .htpasswd user (bcrypt). Browser bcrypt is possible via WASM but adds a heavy dependency that's not worth bundling for the typical use case here.
Advertisement
What it does
An htpasswd generator builds the credential lines used by Apache and nginx for HTTP Basic Auth: a username, a colon, and a hashed password. You stick the line in a .htpasswd file; the web server reads it on every request to protected paths. Useful for staging environments, internal admin pages, or any quick-and-dirty authentication that doesn't justify a full identity provider.
Hashing happens in your browser via the Web Crypto API — your password never leaves the device. The generator uses the SHA-1 digest format ({SHA} prefix) — Apache's standard and supported by every modern web server. For production, run Apache's actual htpasswd -B command to get a bcrypt-hashed line — that's the only password-hash function safe against offline brute force, and shipping bcrypt-WASM in a 10-KB browser tool isn't worth the dependency for the typical use case.
Embed this tool on your siteShow snippetHide
Paste this snippet into any page. Loads on-demand (lazy), no tracking scripts, and sized to most dashboards. Replace the height to fit your layout.
<iframe src="https://freetoolarena.com/embed/htpasswd-generator" width="100%" height="720" frameborder="0" loading="lazy" title="Htpasswd Generator" style="border:1px solid #e2e8f0;border-radius:12px;max-width:720px;"></iframe>Example input & output
Input
admin / hunter2Output
admin:{SHA}9HmlXAKdJ/jQ7KBEEkN+s5Xrwt0=Apache and nginx both accept this format. The {SHA} prefix tells the server to verify by SHA-1-base64 of the supplied password.
How to use it
- Type a username and password.
- Copy the .htpasswd line from the Result box (or click Copy line).
- Save it to a file (typically /etc/nginx/.htpasswd or /etc/apache2/.htpasswd, but anywhere outside the web root works).
- Paste the matching nginx or Apache config snippet into your server block / vhost / .htaccess.
- Reload the web server. Visit the protected URL — you'll get a Basic Auth prompt.
How it works
Web Crypto's crypto.subtle.digest("SHA-1", ...) hashes the password bytes into a 20-byte digest, base64-encoded and prefixed with {SHA} per Apache's convention. The line shape: username:{SHA}base64digest.
On every request to a protected path, the server reads the .htpasswd file, looks up the username, hashes the password the client sent, and compares to the stored digest. SHA-1 is fast both for legitimate verification and for an attacker doing offline brute force — that's why bcrypt is preferred for anything more sensitive than a private staging server.
When to use this tool
- Putting a Basic Auth wall in front of a staging environment so search engines don't index it.
- Locking down a server-side admin panel (phpMyAdmin, Munin, Grafana behind a reverse proxy).
- Quickly password-protecting a static site you've thrown on a VPS.
When not to use it
- Public-facing user accounts — Basic Auth has no logout, no password reset, no rate limiting. Use a real auth system (Auth0, Clerk, Supabase Auth, Keycloak).
- Single-page apps where you want a polished login form — Basic Auth's browser dialog is browser-controlled and ugly.
- High-security admin access — pair Basic Auth with a VPN / Tailscale / Cloudflare Access at minimum, never expose admin UI to the public internet behind only Basic Auth.
Frequently asked questions
- Why SHA and not bcrypt?
- Bcrypt requires a WASM library (~80 KB) to run in-browser; not worth bundling for one tool. Apache's `htpasswd -B` produces bcrypt lines locally; we recommend running it for production. For a small private staging server, the SHA digest is fine.
- Where do I put the .htpasswd file?
- Anywhere outside the web root. Common: /etc/nginx/.htpasswd or /etc/apache2/.htpasswd. Set chmod 600 (use the chmod calculator) so only the web server user can read it.
- Can I have multiple users?
- Yes — generate one line per user and append them all to .htpasswd. The web server reads the whole file on every request (cached) and matches by username.
- How do I delete a user?
- Edit .htpasswd and remove the line. Reload the web server (`nginx -s reload` / `systemctl reload apache2`). The user's session is gone immediately — Basic Auth is stateless.
- What about HTTPS?
- Critical. Basic Auth sends `username:password` base64-encoded in every request. Without HTTPS, anyone on the network sees credentials in plaintext. Always pair Basic Auth with HTTPS.
Advertisement
Learn more
Guides about this topic
- Using Our Tools · GuideHow to generate QR codesMake a QR code for a URL, wifi, vCard, or plain text. What error-correction means, how big to print, how to test it.
- Using Our Tools · GuideHow to create a strong passwordThe entropy math, 2026 NIST rules, passphrases vs passwords, password managers, MFA and hardware keys, where passkeys fit, 5 mistakes that still lose accounts
- Developers & Technical · GuideHow to encode and decode Base64What Base64 is (not encryption), the 3-to-4 encoding mechanics, standard vs URL-safe vs MIME variants, 33% overhead, when to use it, common mistakes
- Design & Media · GuideHow to choose a color paletteHSL color theory, four palette schemes (monochromatic, analogous, complementary, triadic), the 60-30-10 rule, WCAG contrast, dark mode, and palette tools.
- Developers & Technical · GuideHow to use JWT tokens securelyJWT anatomy, HS256 vs RS256, the 'alg: none' attack, expiration strategy, storage (localStorage vs httpOnly cookies), revocation patterns, and claim validation.
- Design & Media · GuideHow to design a faviconThe sizes you actually need in 2026, design principles that survive 16×16 rendering, dark mode support, the HTML tags, web manifest, and testing.
Explore more developer utilities tools
- Port Number LookupQuick reference for ~140 well-known TCP/UDP ports — search by number or service name. Web, mail, DNS, DB, SSH, Docker, Kafka, MQTT, more.
- Test Credit Card NumbersReference table of canonical test card numbers from Stripe, Adyen, and Braintree sandbox docs. Plus Luhn validator + network detector.
- IPv6 Expander & ShortenerExpand or shorten IPv6 addresses to RFC 5952 canonical form. Handles zone IDs, prefix length, embedded IPv4, ip6.arpa reverse DNS, and binary.
- Excel Formula ExplainerPaste an Excel or Google Sheets formula, get a plain-English breakdown of every function. Covers 60+ functions, gotchas, modern alternatives.
- .htaccess GeneratorGenerate Apache .htaccess with HTTPS redirect, Gzip, caching, error pages, hotlink protection, 301 redirects.
- Color Palette ExtractorExtract dominant colors from any image. Histogram-based, runs in browser. Click swatches to copy hex.