Multi-Algorithm .htpasswd Generator

htpasswd files end to end

A .htpasswd file is the user database for HTTP Basic Authentication on Apache, nginx, Caddy and a handful of other web servers. It is a plain text file with one record per line — username:hashed_password — that the web server consults on every protected request. The companion tool that ships with Apache is the htpasswd CLI: htpasswd -c users.txt admin creates the file and adds the first user, then htpasswd users.txt deploy appends more without the -c. Pair it with an .htaccess block (Apache) or auth_basic + auth_basic_user_file (nginx) and any unauthenticated request gets a 401 WWW-Authenticate challenge.

Hash algorithms — pick wisely

• bcrypt (-B) — the modern recommendation, supported by Apache 2.4.4+ and nginx 1.0.3+. Cost is tunable via -C 12 (range 4-31; higher cost = slower brute force). Default cost in htpasswd is a weak 5 — bump it to 10-12.
• APR1 MD5 ($apr1$) — Apache's salted MD5 variant from 1996. The historical default; still acceptable for low-stakes gating but no longer state of the art.
• SHA-1 (-s, prefix {SHA}) — unsalted, fast, broken. Deprecated, avoid.
• crypt (-d) — legacy Unix DES-based; only the first 8 characters of the password actually matter. Useful only for ancient compatibility.
• plain (-p) — password stored in cleartext. Never use beyond throwaway local tests.

Generating offline

The safest path is your own machine. The htpasswd binary comes with the apache2-utils (Debian/Ubuntu) or httpd-tools (RHEL) package. Without Apache installed, equivalent one-liners do the job:

htpasswd -nbB admin "S3cret!"         # bcrypt
openssl passwd -apr1 "S3cret!"        # APR1 MD5
mkpasswd -m sha-512 "S3cret!"         # SHA-512 crypt

Never paste a real password into a third-party site. This builder is fine for sample files and demos, but for production users generate the hash where the password lives — your terminal, a config-management secret store, or a CI pipeline with masked variables.

Server compatibility matrix

Apache 2.4+ understands every algorithm above. nginx accepts APR1 and bcrypt (since 1.0.3); SHA-1 and plain also work but are discouraged. Caddy 2 is opinionated and only accepts bcrypt via its basicauth directive. Traefik, HAProxy and Kong follow the bcrypt-only trend. Whatever the server, remember that HTTP Basic sends credentials base64-encoded, not encrypted — running it without HTTPS means every request leaks the password in plain. Always terminate TLS at the front door.

When to move beyond Basic Auth

.htpasswd is great for internal tools, staging gateways, admin panels and short-lived prototypes — fast to set up, no database, no sessions. For anything user-facing or multi-tenant, layer on oauth2-proxy, Authelia, Authentik or a managed identity edge like Cloudflare Zero Trust. These give SSO, MFA, audit logs and per-route policies that a flat file cannot. Argon2 is the modern password-hashing winner (Password Hashing Competition 2015) but htpasswd doesn't ship support — bcrypt at cost 12 is still a perfectly fine choice for this format.

FAQ

Which algorithm should I pick? bcrypt with cost 10-12 unless you must support a very old server. APR1 is acceptable but not great; SHA-1, crypt and plain should be retired.

Is HTTPS mandatory? Yes, always. Basic Auth credentials are base64, not encrypted — anyone on the wire reads them in cleartext over plain HTTP.

Does nginx really accept bcrypt? Yes since version 1.0.3 (2011). Generate with htpasswd -nbB user pass and drop the result into the file referenced by auth_basic_user_file.

How do I rotate a password? Run htpasswd users.txt admin (no -c) — it overwrites the existing entry for that user without touching the rest of the file.

Is there a modern replacement? Yes. For real auth use OAuth2/OIDC through oauth2-proxy, Authelia or Authentik. .htpasswd is best kept for low-stakes gating.