htpasswd Generator Online

Generate a .htpasswd user line with bcrypt or SHA-1 from a username and password, right in your browser. Credentials stay on your device.

The htpasswd Generator hashes your password in your browser — bcrypt in a lazily loaded module and SHA-1 via the Web Crypto API. The username and password you enter never leave your device and are never uploaded to ArrayKit.

Open the Basic Auth Generator

About htpasswd Generator

The htpasswd Generator turns a username and password into a single .htpasswd line for Apache or nginx HTTP basic auth. Pick bcrypt, the recommended salted scheme that Apache writes as $2y$, or the legacy {SHA} scheme (unsalted SHA-1, Base64) for older setups. The tool outputs a ready user:hash line you can copy or download and append to your .htpasswd file, then protect a directory with AuthType Basic or nginx auth_basic_user_file. It suits sysadmins and developers locking down a staging site, an internal dashboard, or a directory behind a reverse proxy. bcrypt hashing runs with a fresh random salt each time and SHA-1 uses the Web Crypto API — all in your browser, so the password you type never leaves your device.

Features

How to use the htpasswd Generator

  1. Type the username and password you want to protect a directory with
  2. Choose bcrypt (recommended) or the legacy SHA-1 {SHA} algorithm
  3. Copy the generated user:hash line or download the .htpasswd file
  4. Append the line to your server's .htpasswd and reference it from auth config

Example

Input

username: admin
password: password
algorithm: SHA-1

Output

admin:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

SHA-1 produces {SHA} + Base64; bcrypt would emit admin:$2y$... instead.

Common errors & troubleshooting

Frequently asked questions

What algorithm should I use for a .htpasswd file?
Use bcrypt for anything reachable over the network — it is salted and deliberately slow, so it resists brute force. The {SHA} SHA-1 scheme is unsalted and only worth using for legacy servers that cannot run bcrypt.
Why does the bcrypt hash start with $2y$ instead of $2a$?
$2y$ is the prefix Apache's htpasswd tool writes. bcrypt libraries often emit $2a$ or $2b$, but the algorithm is identical, so this generator normalises the prefix to $2y$ to match what Apache produces on disk.
How do I add the generated line to my .htpasswd file?
Copy the user:hash line, or download the .htpasswd file, and append the line as its own row. Then point AuthUserFile (Apache) or auth_basic_user_file (nginx) at that file and reload the server.
Does the same password produce the same htpasswd line every time?
With bcrypt, no — a fresh random salt is used each run, so identical passwords yield different hashes that still verify. With the {SHA} scheme the hash is unsalted, so the same password always yields the same line.
Is the password I type sent to a server to be hashed?
No. bcrypt runs in your browser and SHA-1 uses the built-in Web Crypto API, so the username and password you enter are hashed on your device and never uploaded to ArrayKit.

Related tools

All ArrayKit tools