How to Create a .htpasswd File for Apache & Nginx

Q: How do I add a .htpasswd file to my server?

Generate a username:hash line, save it (and any others) to a file such as /etc/apache2/.htpasswd outside the web root, then point your server at it: in Apache use AuthType Basic with AuthUserFile, in nginx use auth_basic and auth_basic_user_file. Reload the server to apply.

Q: Can I have more than one user?

Yes. A .htpasswd file has one 'username:hash' line per user. Generate a line for each person and put them on separate lines in the same file.

Q: Does nginx support bcrypt in .htpasswd?

nginx reliably supports Apache MD5 (apr1), SHA-1 ({SHA}) and system crypt hashes. bcrypt support depends on the platform's crypt library, so apr1 is the safest choice for nginx; Apache 2.4 supports bcrypt directly.

What this tool does

The .htpasswd Generator turns a username and password into the username:hash line that Apache and nginx use for HTTP basic authentication. It can hash with bcrypt, Apache MD5 (apr1) or SHA-1, all in your browser — the password is never sent to a server.

What is basic authentication?

HTTP basic auth is the simplest way to password-protect a site or directory: the browser pops up a username/password box, and the server checks the credentials against a file of hashed passwords — the .htpasswd file. It's ideal for staging sites, internal tools and quick gates. Because the credentials travel with each request, always serve such pages over HTTPS.

Anatomy of the file

Each line is one user:

admin:$2y$10$Q9…(bcrypt hash)…
deploy:$apr1$Xy12$…(apache md5)…

The part after the colon is a one-way hash, so the file never stores the real password. The prefix tells the server which scheme was used: $2y$ / $2b$ for bcrypt, $apr1$ for Apache MD5, and {SHA} for SHA-1.

Which hash should I choose?

bcrypt — the strongest option, with a tunable cost factor. Best choice on Apache 2.4+. Start with cost 10.
Apache MD5 (apr1) — salted and iterated; the traditional htpasswd default and the safest bet for nginx.
SHA-1 ({SHA}) — broadly compatible but unsalted and fast to brute-force; use only for legacy systems that need it.

Whichever you pick, the security still rests on the password itself — check it with the Password Strength Checker or create a strong one with the Password Generator.

Using it in Apache

Save your generated line(s) to a file outside the web root, e.g. /etc/apache2/.htpasswd.
In the directory/vhost config (or an .htaccess):

AuthType Basic
AuthName "Restricted"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Reload Apache (sudo systemctl reload apache2).

Using it in nginx

location /admin/ {
    auth_basic           "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Reload nginx (sudo nginx -s reload). For nginx, prefer the apr1 format.

How to use the generator

Enter the username and password.
Pick a hash format (and bcrypt cost, if using bcrypt).
Copy the username:hash line into your .htpasswd file — one line per user.

Your data stays private

All hashing happens locally in your browser; the username and password are never uploaded or stored.

FAQ

How do I add a .htpasswd file to my server?

Save the username:hash lines to a file outside the web root, then point Apache (AuthUserFile) or nginx (auth_basic_user_file) at it and reload.

Can I have more than one user?

Yes — one username:hash line per user, all in the same file.

Does nginx support bcrypt in .htpasswd?

nginx reliably supports apr1, {SHA} and system crypt; bcrypt depends on the platform, so apr1 is the safe choice for nginx.

Ready to try it? Open the .htpasswd Generator →

Creating a .htpasswd file