WebToolX

Command Palette

Search for a command to run...

Security & Crypto

Htpasswd Generator

Generate an htpasswd entry using bcrypt — compatible with Apache and nginx basic auth. Runs entirely in your browser.

What is an htpasswd file and when do you need one?

An htpasswd file is a flat text file used by Apache HTTP Server and nginx to implement HTTP Basic Authentication. Every line holds one credential pair: username:hash. When a browser requests a protected resource, the server challenges it for a username and password, hashes the supplied password, and compares it against the stored hash. If they match, access is granted.

Why bcrypt?

Apache's htpasswd utility supports MD5-crypt, SHA-1, and bcrypt. MD5 and SHA-1 are fast hash functions — an attacker with a GPU can test billions of candidates per second. bcrypt is intentionally slow: a cost factor of 10 means each guess requires roughly 210 = 1 024 bcrypt iterations. That raises the cost of a brute-force attack by orders of magnitude, protecting your users even if the file is exposed.

How to use the generated line

  1. Enter a username and a strong password below, choose a cost factor, and click Generate.
  2. Copy the output line and paste it into your .htpasswd file (create the file if it doesn't exist).
  3. In Apache, add AuthUserFile /path/to/.htpasswd and Require valid-user to the relevant <Directory> or .htaccess block.
  4. In nginx, use auth_basic_user_file /path/to/.htpasswd inside the location block.

Privacy note

All hashing is performed entirely in your browser using the bcryptjs library. Your username and password are never transmitted to any server.

Frequently Asked Questions

What is an htpasswd file?

An htpasswd file stores usernames and hashed passwords used by Apache HTTP Server (and nginx) to protect directories or endpoints with HTTP Basic Authentication. Each line follows the format <code>username:hash</code>. Both servers support several hash algorithms; bcrypt (the <code>$2y$</code> / <code>$2b$</code> prefix) is the strongest and recommended choice for new deployments.

Which hash format does this generator use?

This tool uses bcrypt, encoded as <code>$2b$&lt;rounds&gt;$...</code>. Apache 2.4+ and nginx (via the <code>auth_basic</code> module with the <code>htpasswd</code> utility) both accept this format. bcrypt is deliberately slow, making brute-force attacks impractical even if the htpasswd file is leaked.

What cost (rounds) should I choose?

The cost factor controls how slow bcrypt is. Higher values give stronger protection but add latency on every login. Round 10 (the default) is a widely accepted baseline — it takes roughly 100 ms on a typical server. Round 12 gives ~4× more work; use it if your server can tolerate ~400 ms per login check.