.htpasswd Generator (bcrypt)
Create a secure Apache/nginx basic-auth entry with a bcrypt-hashed password.
Updated: June 27, 2026
Generate a basic-auth user without the command line
HTTP Basic Authentication is the simplest way to password-protect a directory or
endpoint behind Apache or nginx. Credentials live in a .htpasswd file,
one username:hash line per user. This generator produces that line for
you using a secure bcrypt hash — the same as Apache's
htpasswd -B — entirely in your browser, so the password is never sent
anywhere.
Why bcrypt?
The htpasswd tool historically supported weak schemes: unsalted MD5
(apr1), SHA-1, even crypt(). Those are fast to brute-force and should be avoided.
bcrypt is deliberately slow and salted, which makes cracking a
stolen .htpasswd file impractical. Apache has supported bcrypt since
2.4 and nginx works with it too, so it's the right default for any new setup. The
cost factor controls how slow (and how strong) the hash is — 10 to 12 is a good
production range.
How to use the output
- Generate the line and copy it.
- Append it to your
.htpasswdfile (create one if it doesn't exist), one user per line. -
Point your server at the file. In Apache:
AuthType Basic,AuthUserFile /path/.htpasswd,Require valid-user. In nginx:auth_basic "Restricted";andauth_basic_user_file /path/.htpasswd;.
Important security notes
- Always use HTTPS. Basic auth sends the password Base64-encoded on every request — over plain HTTP it's effectively in the clear. (Base64 is encoding, not encryption.)
- Store
.htpasswdoutside the web root so it can't be downloaded. - Basic auth is coarse — fine for staging sites or simple gates, but use a real auth system for anything sensitive or multi-user at scale.
Related tools
The hash here is bcrypt — explore it directly with the bcrypt generator & checker, create strong passwords with the password generator, and set organisation-wide rules with the password policy generator.
Frequently asked questions
What hash does this use?
bcrypt, the same secure scheme as Apache's 'htpasswd -B'. The output line uses the $2y$ prefix that Apache expects, and works with nginx basic auth too.
Is my password sent to a server?
No. The bcrypt hash is computed in your browser with JavaScript. The plain-text password never leaves your machine.
Where do I put the generated line?
Append it to your .htpasswd file (one user per line), ideally stored outside the web root, then reference that file in your Apache or nginx auth configuration.
Is HTTP Basic Auth secure?
Only over HTTPS. Basic auth transmits the credentials Base64-encoded on every request, so without TLS they're exposed. Use it behind HTTPS, and prefer a full auth system for sensitive applications.
Beyond basic auth
When basic auth isn't enough, these take over authentication:
- Identity provider / SSO Replace per-directory passwords with centralized login, MFA and access control for your whole stack.
- Reverse proxy / access gateway Add authentication, rate limiting and TLS in front of any app without changing its code.
Learn more
Related tools
- Bcrypt Hash Generator & CheckerHash a password with bcrypt at an adjustable cost factor, or verify a password against a hash.
- Password GeneratorCreate strong, random passwords with custom length and character sets — generated securely in your browser.
- Password Policy GeneratorTurn your password rules into a written policy plus Linux PAM and Windows config.
- Password Strength & Entropy CheckerMeasure a password's entropy in bits and estimate how long it would take to crack.