SSH Workbench

htpasswd Generator

Generate htpasswd entries for Apache, Nginx, and Traefik basic auth.

Client-side only — nothing leaves your browser

Quick Start (Terminal)

Prefer the command line? Create an htpasswd file with bcrypt (recommended) and a single user:

htpasswd -cB .htpasswd alice

Replace -B with -m for apr1 MD5, -s for SHA-1, or -p for plain text. Drop -c when adding users to an existing file.

What is htpasswd?

htpasswd is the standard utility for creating and updating the flat-file user database that powers HTTP Basic Authentication. Each line is a single user record in the form username:hash. The file is consumed by Apache (AuthUserFile), Nginx (auth_basic_user_file), Traefik (basicAuth.users), the Docker Registry, and many other reverse proxies and embedded servers.

htpasswd File Format

An .htpasswd file is plain text. Each line is one user, with the username and hash separated by a colon:

alice:$apr1$xK9Js8Lq$3FQYy0R0wQ1FxK0gJzVxR.
bob:$2y$10$KIXxPfnK7zXfWNXJ6lF.0OpJ8hFqQp0L4kRxK3aXjY1OYy7xQzT9C
carol:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

The prefix on the hash identifies the algorithm: $apr1$ for Apache MD5, $2y$ for bcrypt, $1$ for crypt(3) MD5, {SHA} for base64-encoded SHA-1, and no prefix for plain text. Usernames cannot contain a colon or whitespace.

htpasswd Hash Algorithms Compared

AlgorithmFlagPrefixSecurity
bcrypt-B$2y$Strong (recommended)
apr1 (MD5)-m$apr1$Moderate, salted
crypt MD5(legacy)$1$Moderate, salted
SHA-1-s{SHA}Weak (no salt)
Plain text-p(none)None — avoid

Using htpasswd with Your Server

Apache (.htaccess)

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Nginx

location / {
  auth_basic "Restricted Area";
  auth_basic_user_file /etc/nginx/.htpasswd;
}

Nginx supports apr1, plain (with a special {PLAIN} prefix), SHA-1, and crypt(3). It does not support bcrypt directly — use apr1 if you need a browser-generated hash for Nginx.

Traefik (docker labels)

- "traefik.http.middlewares.auth.basicauth.users=alice:$$apr1$$xK9...$$3FQ..."

In Docker Compose labels, escape every $ as $$ — otherwise Compose tries to expand them as variables.

Docker Registry

docker run --entrypoint htpasswd httpd:2 -Bbn alice secret > auth/htpasswd

The Docker Registry only accepts bcrypt — use -B.

Frequently Asked Questions

What is the htpasswd file format?
An .htpasswd file is a plain-text file where each line represents one user, with the username and the hashed password separated by a colon (username:hash). The hash is prefixed with a tag that identifies the algorithm: $apr1$ for Apache's salted MD5, $2y$ for bcrypt, $1$ for crypt(3) MD5, {SHA} for base64-encoded SHA-1, and no prefix for plain text. Usernames cannot contain a colon or whitespace. The file should be stored outside your web root so it can't be served directly.
Which htpasswd algorithm should I use — bcrypt, apr1, or MD5?
Use bcrypt (htpasswd -B) wherever it's supported — it's the only modern algorithm in the htpasswd toolkit that's deliberately slow, which makes brute-force attacks expensive. apr1 (htpasswd -m, the Apache MD5 variant) is the historical default and is universally supported by Apache, Nginx, and Traefik, but it's a fast hash and is no longer considered strong. SHA-1 ({SHA}) is unsalted and should only be used for legacy compatibility. Plain text (-p) should be avoided entirely. The Docker Registry requires bcrypt specifically.
Does Nginx support bcrypt in htpasswd files?
No — Nginx's auth_basic module does not support bcrypt ($2y$, $2a$, $2b$) hashes. Nginx supports apr1 ($apr1$), crypt(3) ($1$), SHA-1 ({SHA}), and plain text (with the special {PLAIN} prefix on Linux). If you generate a bcrypt hash with htpasswd -B and use it with Nginx, authentication will silently fail. Use apr1 (htpasswd -m) for Nginx instead — it's the safest choice that Nginx supports natively.
How do I add another user to an existing htpasswd file?
Run htpasswd without the -c flag: htpasswd /path/to/.htpasswd newuser. The -c (create) flag overwrites the file, so omitting it appends the new user. If the user already exists, htpasswd updates their hash in place. You can also pass the password non-interactively with -b: htpasswd -b /path/to/.htpasswd newuser secret — useful for scripts, but the password ends up in your shell history.
Can htpasswd hashes be decoded back to the original password?
No — htpasswd hashes (bcrypt, apr1, MD5, SHA-1) are one-way functions, meaning there's no algorithm that reverses them to recover the original password. To verify a password you re-hash the candidate with the same salt and compare. The only practical 'decode' attack is brute force or a dictionary attack, which is why bcrypt's deliberate slowness matters: a strong password protected by bcrypt is effectively unrecoverable, while a weak password protected by SHA-1 can be cracked in seconds.

Related Tools

Cron Generator

Generate, validate, and translate cron expressions. Visual cron builder with human-readable descriptions.

Cron to systemd Timer

Convert cron expressions to systemd .service and .timer files with OnCalendar syntax.

chmod Calculator

Visual chmod calculator. Toggle owner/group/other permissions, see octal (755) and symbolic (rwxr-xr-x) live.

Unit File Generator

Generate systemd .service, .timer, and .socket unit files visually. Set ExecStart, User, Restart, env vars, and Install target.

Unit File Validator

Validate systemd unit files. Paste a .service, .timer, .socket, or .mount file and catch missing directives, bad syntax, and errors.

Need to manage SSH connections?

SSH Workbench lets you connect, browse files, and manage servers visually.

Try SSH Workbench Free