Ops · Infra
Gerador htpasswd
Generate production-ready htpasswd entries using bcrypt (-B), Apache MD5 (-m), SHA1 (-s), or plaintext—completely client-side.
🛡️
Zero trust by design
No network calls.
⚙️
Multiple algorithms
Bcrypt, apr1, SHA, plain.
12 rounds
Error
Current entry
No entry yet.
Recent history
| Username | Algorithm | Actions |
|---|---|---|
| Nothing generated yet. | ||
What is htpasswd?
The htpasswd file is a flat-file database used to store usernames and hashed passwords for basic authentication on Apache and Nginx web servers. It is a simple but effective way to protect specific directories or administrative panels on a website without needing a full database-backed authentication system.
Each line in an htpasswd file represents a single user and follows the format username:hashed_password.
How to Use This Tool
- Enter Username: Type the username you want to use for authentication.
- Provide Password: Enter a password or click Generate strong to create a secure one.
- Select Algorithm: Choose Bcrypt (-B) for modern security or Apache MD5 (-m) for legacy compatibility.
- Generate: Click Generate entry to create the hashed string.
- Copy or Download: Copy the resulting line to your clipboard or download it as a file to upload to your server.
Common Use Cases
- Admin Panels: Protecting sensitive areas like
/adminor/wp-adminwith an extra layer of server-level security. - Staging Sites: Restricting access to development or staging environments so they are not indexed by search engines or viewed by the public.
- Private Repositories: Securing local Git or SVN repositories served over HTTP.
- API Gateways: Implementing simple authentication for internal microservices or legacy APIs.
Pro Tips
- Always Use Bcrypt: Bcrypt is intentionally slow and uses a cost factor to resist brute-force attacks. It is significantly more secure than the legacy MD5 or SHA1 options.
- Secure the File: Name your file
.htpasswd(with a leading dot) and store it outside your web root directory to prevent it from being downloaded. - HTTPS is Mandatory: Basic authentication sends credentials in a format that is easily reversible. Never use it over unencrypted HTTP; always ensure your site is served over HTTPS.