Skip to main content
CheckTown
Dev Tools

htpasswd Generator: Apache and Nginx Basic Authentication

Published 5 min read
In this article

What Is htpasswd?

An htpasswd file is a flat-file database used by Apache and Nginx web servers to store usernames and hashed passwords for HTTP Basic Authentication. Each line contains a username and a password hash separated by a colon, such as admin:$2y$10$abc... The file provides a simple way to protect web resources without requiring a full authentication backend.

The htpasswd utility was originally part of the Apache HTTP Server project, but the file format has become a de facto standard supported by many web servers, reverse proxies, and development tools. Modern htpasswd generators support multiple hashing algorithms including bcrypt, SHA-1, and MD5, with bcrypt being the recommended choice for security.

How htpasswd Generation Works

Generating an htpasswd entry involves hashing a plain-text password with a chosen algorithm and formatting it alongside the username. The strength of the resulting hash depends on the algorithm and its configuration.

  • bcrypt ($2y$) — the most secure option, uses a configurable cost factor (default 10) that controls how computationally expensive each hash is, making brute-force attacks impractical
  • SHA-1 ({SHA}) — produces a Base64-encoded SHA-1 digest prefixed with {SHA}; faster than bcrypt but significantly weaker against modern GPU-based attacks
  • MD5 ($apr1$) — Apache's custom MD5 variant with a random salt; legacy format still supported but not recommended for new deployments due to known weaknesses

Try it free — no signup required

Generate htpasswd Entry →

Common Uses for htpasswd

htpasswd-based authentication is widely used for lightweight access control where a full authentication system would be overkill.

  • Staging site protection — restrict access to pre-production environments so only team members and stakeholders can view in-progress work
  • Admin panel security — add an extra layer of authentication in front of CMS admin panels, database management tools, or monitoring dashboards
  • Development environment access — protect local or shared development servers from unauthorized access without setting up OAuth or LDAP

Frequently Asked Questions

Should I use bcrypt, SHA-1, or MD5 for htpasswd?

Always use bcrypt when possible. Bcrypt is purpose-built for password hashing with a configurable cost factor that makes it resistant to brute-force attacks. SHA-1 and MD5 are fast hash functions not designed for passwords — they can be cracked orders of magnitude faster than bcrypt. Some older Apache versions may not support bcrypt, but any modern installation does.

Where should I place the htpasswd file on my server?

Store the htpasswd file outside your web root to prevent it from being served to visitors. A common location is /etc/apache2/.htpasswd or /etc/nginx/.htpasswd. Then reference it in your server configuration with AuthUserFile (Apache) or auth_basic_user_file (Nginx). Never place it in a publicly accessible directory.

Is HTTP Basic Authentication secure enough for production?

Basic Authentication sends credentials as Base64-encoded text (not encrypted) with every request, so it must always be used over HTTPS. Even with HTTPS, it lacks features like session management, rate limiting, and account lockout. It is suitable for low-risk scenarios like staging sites or internal tools, but production user-facing authentication should use a proper auth system with token-based sessions.

Related Tools

bcrypt: How Password Hashing Works and Why It MattersLearn how bcrypt protects passwords with adaptive hashing, salt, and cost factor tuning.Read article → Hash Generator: MD5, SHA-256 and More — When to Use EachHashing is fundamental to security and data integrity. Learn which algorithm to choose and when.Read article → Read article →
Back to Blog