Zero Signup ToolsFree browser tools

Security Tools

htpasswd Generator

Generate htpasswd entries for Apache and Nginx basic auth in your browser. APR1-MD5, SHA-1, and plain formats, multi-user file output, server config snippets.

htpasswd generator

Hash format

Pick the format your server expects. APR1-MD5 is the safest portable choice without a dependency.

Want bcrypt?

Bcrypt is the strongest format Apache supports, but it cannot be computed in the browser without a heavy library. For bcrypt, run the official Apache CLI on your machine: htpasswd -B -c .htpasswd username. APR1-MD5 above is the strongest dependency-free format we ship.

Users

Add one row per user. Usernames cannot contain a colon or whitespace.

  • User 1

.htpasswd file

0 valid entries. Hashing runs locally; passwords never leave the page.

# Fill in a username and password above. Valid entries appear here as a complete .htpasswd file.

Apache (.htaccess)

Drop this snippet into the .htaccess of the directory you want to protect, alongside your .htpasswd file.

AuthType Basic
AuthName "Restricted area"
AuthUserFile /var/www/example.com/.htpasswd
Require valid-user

Nginx (server block)

Put this inside the location or server block you want to protect. Reload nginx after editing.

location /private/ {
  auth_basic "Restricted area";
  auth_basic_user_file /etc/nginx/.htpasswd;
}

Caddy (Caddyfile)

Caddy expects bcrypt hashes. Generate them with the Apache htpasswd -B CLI and paste the hash next to the username.

example.com {
  basicauth /private/* {
    admin $2a$14$REPLACE_WITH_BCRYPT_HASH
  }
  root * /srv
  file_server
}

lighttpd

Enable mod_auth, then point auth.backend.htpasswd.userfile at the file you just created.

server.modules += ( "mod_auth" )
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/etc/lighttpd/.htpasswd"
auth.require = ( "/private/" =>
  ( "method" => "basic",
    "realm"  => "Restricted area",
    "require" => "valid-user" )
)

Generated hashes run entirely in your browser. Salts use crypto.getRandomValues and SHA-1 uses the Web Crypto API. APR1-MD5 ships with an in-browser MD5 routine because the platform does not expose MD5. Nothing about your usernames or passwords is sent off-device.

How to use

  1. Pick a hash format. APR1-MD5 is the recommended portable choice and works on Apache, Nginx, lighttpd, and Caddy file servers. Use SHA-1 only if your server demands the {SHA} prefix.
  2. Type a username and password for the first user. Use the Random button next to the password to generate a strong 16-character random password.
  3. Click Add user to add more rows. Usernames cannot contain a colon or whitespace; the tool flags either inline.
  4. Copy a single line with Copy line next to a user, or grab the full .htpasswd file with Copy file or Download.
  5. Scroll to the server config snippets to copy a matching Apache, Nginx, Caddy, or lighttpd block that points at your new file.

About this tool

htpasswd Generator builds password file entries for HTTP basic authentication on Apache, Nginx, lighttpd, and Caddy, entirely in your browser. Add one or more username and password pairs, pick a hash format, and the tool produces a complete .htpasswd file you can copy or download. Three formats are supported: APR1-MD5 ($apr1$salt$digest), Apache's portable iterative MD5 with a random eight-character salt and the de facto default for portable htpasswd files; SHA-1 ({SHA}base64), the unsalted format Apache and Nginx both read; and Plain text (user:password), the cleartext form Nginx accepts for local testing. Each row validates the username (no colons, no whitespace) and the password (required), surfaces clear inline errors, and lets you re-roll APR1 salts on demand. A random-password button generates a 16-character password from a 70-character alphabet that skips ambiguous characters like I, l, O, 0, and 1. Bcrypt, the strongest format Apache supports, is intentionally omitted because computing it in the browser requires a heavy library; the tool calls this out and points to the official htpasswd -B CLI. Below the file output you'll find ready-to-paste server snippets for Apache (.htaccess), Nginx (server block), Caddy (Caddyfile), and lighttpd (mod_auth), so you can wire up a protected directory in seconds. Salts come from crypto.getRandomValues, SHA-1 uses the Web Crypto API, and the APR1 implementation ships its own MD5 routine because the platform does not expose MD5. Nothing about your usernames or passwords leaves the page.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Security

Password Generator

Strong random passwords with length and character controls.

Open tool

Security

Passphrase Generator

Random-word passphrases with live entropy and crack-time estimates.

Open tool

Security

Password Strength Checker

Live strength meter with entropy, crack times, and common-password detection.

Open tool

Security

MD5 Hash Generator

Compute MD5 checksums of text and files locally with hex and Base64 output.

Open tool

Security

SHA-256 Hash Generator

Hash text or files with SHA-1, SHA-256, SHA-384, and SHA-512.

Open tool

All toolsSecurity Tools