Question 1

What is htpasswd?

Accepted Answer

htpasswd is an Apache utility that creates and manages user authentication files for HTTP Basic Authentication. Each line in an .htpasswd file contains a username:hash pair. Supported hash types include bcrypt, SHA-1 (base64), MD5 (APR), and plain text (not recommended).

Question 2

Which htpasswd format should I use?

Accepted Answer

Use bcrypt (cost factor 10+) for new deployments — it's the most secure option. The bcrypt format starts with $2y$ in Apache. SHA-1 base64 is readable but insecure. MD5 APR ($apr1$) is legacy. Plain text is never appropriate for production.

Question 3

How do I use an .htpasswd file with nginx?

Accepted Answer

In nginx: add 'auth_basic "Restricted";' and 'auth_basic_user_file /etc/nginx/.htpasswd;' to your location block. Nginx supports bcrypt, SHA-1 base64, and plain text formats. Generate the file with Apache's htpasswd utility or this tool.

Question 4

How many users can be in one .htpasswd file?

Accepted Answer

There's no hard limit, but performance degrades with very large files because the server reads the whole file on each request. For hundreds of users or more, use a proper authentication system (LDAP, OAuth) rather than .htpasswd.

Question 5

How do I add a user to an existing .htpasswd file?

Accepted Answer

Using Apache's htpasswd: 'htpasswd /path/.htpasswd newuser' (prompts for password). To add without prompt: 'htpasswd -b /path/.htpasswd user password'. Each line is independent — you can manually append username:hash lines generated by this tool.

Question 6

How do I create an .htpasswd file?

Accepted Answer

Enter a username and password above, select your hash algorithm (bcrypt recommended, MD5 for Apache compatibility), and click Generate. The tool outputs the correctly formatted username:hash line for your .htpasswd file. Add multiple entries by generating each separately. Place the .htpasswd file outside your web root and reference it in your Apache or Nginx config.

Question 7

What hash algorithm should I use in .htpasswd?

Accepted Answer

Use bcrypt ($2y$ prefix) for the strongest security — it's supported in Apache 2.4+ and Nginx. APR-MD5 ($apr1$) is widely compatible with older Apache versions. SHA1 ({SHA}) and plain MD5 are insecure and should be avoided. The generated htpasswd hash uses the same format Apache's htpasswd command-line tool produces.

Htpasswd Generator — Free Online .htpasswd File Creator

Frequently Asked Questions

Creating .htpasswd Files for HTTP Basic Authentication

Related Tools

Bcrypt Generator

SHA-1

MD5

Password Generator