htpasswd Generator Online
Generate a .htpasswd user line with bcrypt or SHA-1 from a username and password, right in your browser. Credentials stay on your device.
The htpasswd Generator hashes your password in your browser — bcrypt in a lazily loaded module and SHA-1 via the Web Crypto API. The username and password you enter never leave your device and are never uploaded to ArrayKit.
Open the Basic Auth Generator
About htpasswd Generator
The htpasswd Generator turns a username and password into a single .htpasswd line for Apache or nginx HTTP basic auth. Pick bcrypt, the recommended salted scheme that Apache writes as $2y$, or the legacy {SHA} scheme (unsalted SHA-1, Base64) for older setups. The tool outputs a ready user:hash line you can copy or download and append to your .htpasswd file, then protect a directory with AuthType Basic or nginx auth_basic_user_file. It suits sysadmins and developers locking down a staging site, an internal dashboard, or a directory behind a reverse proxy. bcrypt hashing runs with a fresh random salt each time and SHA-1 uses the Web Crypto API — all in your browser, so the password you type never leaves your device.
Features
- Generate a user:hash line for a .htpasswd file from a username and password
- bcrypt scheme with a random salt, emitted with Apache's $2y$ prefix
- Legacy {SHA} scheme (Base64 SHA-1) for older Apache and nginx configs
- Copy the line or download it straight to a .htpasswd file
- Rejects usernames with a colon, spaces, or line breaks that would break the file
- Each bcrypt run produces a fresh hash so identical passwords never match
- Works for Apache mod_auth_basic and nginx auth_basic_user_file alike
- Hashes the password in your browser with nothing sent to a server
How to use the htpasswd Generator
- Type the username and password you want to protect a directory with
- Choose bcrypt (recommended) or the legacy SHA-1 {SHA} algorithm
- Copy the generated user:hash line or download the .htpasswd file
- Append the line to your server's .htpasswd and reference it from auth config
Example
Input
username: admin
password: password
algorithm: SHA-1
Output
admin:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
SHA-1 produces {SHA} + Base64; bcrypt would emit admin:$2y$... instead.
Common errors & troubleshooting
- Apache logs 'crypt not supported' or the bcrypt line is rejected. — bcrypt in .htpasswd needs Apache 2.4 or later with mod_authn_file. On older servers switch to the {SHA} scheme or upgrade Apache.
- The whole line ended up on one row and auth never succeeds. — Each .htpasswd entry must be its own line ending in a newline. Downloading the file adds the newline for you; if you paste, press Enter after the line.
- Username contains a colon and the file splits it wrong. — Apache splits each entry on the first colon, so a colon in the username breaks parsing. Remove the colon — the generator blocks it for this reason.
- Copied a {SHA} hash but the login still fails. — The {SHA} scheme is unsalted SHA-1 and case-sensitive on the password. Re-check the exact password, and prefer bcrypt for anything facing the internet.
Frequently asked questions
- What algorithm should I use for a .htpasswd file?
- Use bcrypt for anything reachable over the network — it is salted and deliberately slow, so it resists brute force. The {SHA} SHA-1 scheme is unsalted and only worth using for legacy servers that cannot run bcrypt.
- Why does the bcrypt hash start with $2y$ instead of $2a$?
- $2y$ is the prefix Apache's htpasswd tool writes. bcrypt libraries often emit $2a$ or $2b$, but the algorithm is identical, so this generator normalises the prefix to $2y$ to match what Apache produces on disk.
- How do I add the generated line to my .htpasswd file?
- Copy the user:hash line, or download the .htpasswd file, and append the line as its own row. Then point AuthUserFile (Apache) or auth_basic_user_file (nginx) at that file and reload the server.
- Does the same password produce the same htpasswd line every time?
- With bcrypt, no — a fresh random salt is used each run, so identical passwords yield different hashes that still verify. With the {SHA} scheme the hash is unsalted, so the same password always yields the same line.
- Is the password I type sent to a server to be hashed?
- No. bcrypt runs in your browser and SHA-1 uses the built-in Web Crypto API, so the username and password you enter are hashed on your device and never uploaded to ArrayKit.
Related tools
- Basic Auth Generator — Generate and decode HTTP Basic Auth Authorization headers from a username and password.
- Bcrypt Generator — Hash a password with bcrypt and verify a password against a bcrypt hash, in your browser.
- Nginx Config Generator — Build an nginx server block (static, reverse proxy, SSL, gzip, caching) from simple toggles.
- .htaccess Generator — Toggle and configure common Apache .htaccess snippets with live output.
- Password Generator — Generate strong, random passwords with a strength meter (crypto-secure).
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
All ArrayKit tools