Handytool
UtilityFreeRuns locally

Htpasswd generator

Generate Apache .htpasswd password hashes (bcrypt, Apache MD5, SHA) entirely in your browser.

Output (username:hash)
The .htpasswd line will appear here as you type.
Hash type

Higher is slower but harder to brute-force. 10–12 is recommended.

All hashing happens in your browser — your password is never sent to a server.

About the Htpasswd generator

Handytool's htpasswd generator creates Apache- and Nginx-compatible .htpasswd entries right in your browser. Enter a username and password, pick bcrypt (recommended), Apache MD5 (APR1), or SHA-1, and copy the user:hash line or download a ready-to-use .htpasswd file. Because the hashing runs locally with no server round-trip, your password is never uploaded, logged, or stored anywhere.

Htpasswd generator features

  • 01

    Bcrypt, Apache MD5, and SHA

    Generate the modern $2y$ bcrypt hash with an adjustable cost factor, the classic salted Apache MD5 (APR1), or a legacy {SHA} digest — whatever your server expects. The output is byte-for-byte compatible with the Apache htpasswd command.

  • 02

    Copy the line or download a file

    Copy the complete username:hash line for your existing .htpasswd, or download a fresh .htpasswd file you can drop straight onto your server. Salted schemes get a new random salt on every run.

  • 03

    100% in your browser

    All hashing happens locally on your device. No username, password, or hash is ever sent to a server, so you can safely generate credentials for production sites without exposing them.

Htpasswd generator FAQ

What is an .htpasswd file?
An .htpasswd file stores usernames and hashed passwords for HTTP Basic Authentication on web servers like Apache and Nginx. Each line has the format username:hash. The server checks submitted credentials against these hashes to protect a directory or site.
Which hash type should I use?
Use bcrypt — it's the most secure option, with a built-in salt and a tunable cost factor that resists brute-force attacks. Apache MD5 (APR1) is salted and still widely supported for older setups. Avoid SHA-1 ({SHA}) except for legacy compatibility, since it is unsalted and considered weak.
Does Nginx support .htpasswd files?
Yes. Nginx reads the same htpasswd format via the auth_basic and auth_basic_user_file directives. Bcrypt and Apache MD5 (APR1) entries both work; plain SHA-1 is also accepted.
What is the bcrypt cost factor?
The cost (or work factor) controls how many rounds bcrypt runs — each increment doubles the work. A cost of 10–12 is a good balance of security and speed for most servers. Higher values are more resistant to brute-force but slower to verify on every login.
Is it safe to generate my password here?
Yes. The hash is computed entirely in your browser using local JavaScript and the Web Crypto API — nothing is transmitted, logged, or stored. Only the resulting hash, which cannot be reversed into your password, ever leaves your screen when you copy it.
How do I use the generated line in Apache?
Add the username:hash line to your .htpasswd file, then point Apache at it with AuthType Basic, AuthName, and AuthUserFile directives in your .htaccess or virtual host. Reload Apache and the protected directory will prompt for the credentials you generated.

Related tools

Utility

Explore other tools

All tools