htpasswd is a utility used to create and update flat-files storing usernames and passwords for basic authentication of HTTP users in Apache and Nginx web servers.

Which htpasswd algorithm is most secure?

bcrypt ($2y$) is the most secure algorithm for htpasswd. It's designed to be computationally expensive, making brute-force attacks difficult. SHA-512 ($6$) is also a good choice.

What do the prefixes like $2y$, $apr1$, $6$ mean?

These are Modular Crypt Format identifiers: $2y$ = bcrypt, $apr1$ = Apache MD5, $5$ = SHA-256, $6$ = SHA-512, $sha1$ = SHA-1. The prefix tells the server which algorithm to use for verification.

Htpasswd Generator

Apache/Nginx Basic Auth Secure Hash

Anish Nath

Generate htpasswd

Credentials

Username

Password

Algorithm

bcrypt

$2y$

SHA-512

$6$

SHA-256

$5$

APR-MD5

$apr1$

Learn & try with AI

Tap a topic — opens the AI assistant with a ready prompt (Ctrl+Shift+A).

Generated .htpasswd Entry

htpasswd entry will appear here

Enter username and password to generate

htpasswd Commands

Generate bcrypt hash

$ htpasswd -B -c .htpasswd admin

Generate SHA-512 hash (OpenSSL)

$ openssl passwd -6 -salt $(openssl rand -base64 8)

Generate APR-MD5 hash

$ openssl passwd -apr1

Related Password Hashing Tools

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users

200+ tools

100% private

☕ One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good

Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.

Understanding htpasswd

What is htpasswd?

The htpasswd utility creates and updates flat-files storing usernames and passwords for basic HTTP authentication in Apache and Nginx web servers.

Modular Crypt Format

htpasswd uses the Modular Crypt Format (MCF) which identifies the algorithm by a prefix:

Prefix	Algorithm	Security	Notes
$2y$ / $2a$	bcrypt	Excellent	Recommended. Adjustable cost factor.
$6$	SHA-512	Very Good	5000 rounds default. Good alternative.
$5$	SHA-256	Good	5000 rounds default.
$apr1$	APR-MD5	Fair	Apache-specific MD5. Legacy support.
`{SHA}`	SHA-1	Weak	Unsalted. Not recommended.
(none)	crypt(3)	Weak	DES-based. 8 char max. Avoid.

Nginx Configuration

location /protected {
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Apache Configuration

<Directory "/var/www/protected">
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>

Htpasswd Generator

Generate htpasswd

Generated .htpasswd Entry

htpasswd Commands

Related Password Hashing Tools

BCrypt

Scrypt

Argon2

PBE

Support This Free Tool

Understanding htpasswd

What is htpasswd?

Modular Crypt Format

Nginx Configuration

Apache Configuration

Quick Access

PGP Tools

Sharing Services

Security Tools

Cryptography

Network Tools

Legal & Compliance

DevOps/Container

Blockchain

Encoders/Converters

Developer Tools

Machine Learning Visualizers

Media Tools

Documents & PDF

Finance

Health

Lifestyle & Productivity

Chemistry

Math & Education

Physics Tools

Internationalization