Skip to main content
lab.golamrabbani.org

htpasswd Generator

Generate a SHA-1 .htpasswd line in your browser — no server, no logs.

Written by Golam Rabbani, Founder & Lead Engineer

Generate a .htpasswd line in your browser using SHA-1 — compatible with Apache, Nginx, and most HTTP Basic Auth setups. No data is sent to any server; all processing runs locally via the Web Crypto API.

How to use this htpasswd generator

  1. Enter a username in the Username field — no colons or whitespace are allowed.
  2. Enter the password in the Password field.
  3. Toggle Show to reveal the password text if you want to verify it.
  4. Click Generate to produce the .htpasswd line.
  5. Click Copy line to copy the result, then paste it into your .htpasswd file.

About this htpasswd generator

The htpasswd generator creates a single-line entry for Apache and Nginx HTTP Basic Auth password files. Each line in a .htpasswd file follows the format `username:{SHA}base64hash`, and this tool produces exactly that — ready to paste into the file your web server reads when protecting a directory or location block.

The tool uses the `{SHA}` scheme: it computes a SHA-1 digest of the raw password bytes, then base64-encodes the 20-byte result, and prepends `{SHA}`. Apache's mod_auth_basic and Nginx's ngx_http_auth_basic_module both recognise this prefix and verify incoming passwords the same way. All computation runs in your browser via the Web Crypto API (`crypto.subtle.digest('SHA-1', ...)`), so your password never leaves the device.

As a concrete example: username `ada`, password `secret` produces `ada:{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=`. You can verify this independently with `echo -n "secret" | openssl dgst -sha1 -binary | base64`. One important caveat: SHA-1 without a salt or key-stretching is not a secure password hash by modern standards — it is fast to brute-force offline. For anything beyond low-stakes internal pages, use Apache's `htpasswd -B` on the command line, which produces a bcrypt hash; bcrypt is the recommended modern format. Generation happens entirely in-browser; your password never leaves the device.

FAQ

What is a .htpasswd file and where is it used?
A .htpasswd file is a flat text file that stores username and hashed-password pairs for HTTP Basic Authentication. Apache reads it when you set `AuthUserFile` in a directory's configuration or .htaccess file; Nginx reads an equivalent file when `auth_basic_user_file` is set in a location block.
Why is bcrypt preferable to SHA-1 for production .htpasswd files?
SHA-1 is a fast, unsalted hash — an attacker who obtains the .htpasswd file can run billions of guesses per second against it. Bcrypt deliberately slows hashing and adds a salt per entry, making offline brute-force attacks orders of magnitude harder. Use `htpasswd -B` on the server for any publicly accessible or sensitive resource.
Does the htpasswd generator send my password to a server?
No. All processing runs locally in your browser using the Web Crypto API. Your password is hashed in-memory and is never transmitted to any server, logged, or stored. Closing the page discards everything.
How do I deploy the generated line to my server?
Copy the output line and append it to your .htpasswd file on the server (one entry per line). Then point your Apache `AuthUserFile` directive or Nginx `auth_basic_user_file` directive at that file path. Reload the server config with `apachectl graceful` or `nginx -s reload`.
Why does the username field reject colons and whitespace?
The .htpasswd format uses a literal colon as the delimiter between the username and the hashed password. A colon inside the username would break the parser, causing authentication to fail or behave unpredictably. Whitespace is similarly disallowed because most parsers treat it as a field separator.
Is this htpasswd generator free to use?
Yes, it is completely free with no account, no signup, and no usage limit.