htpasswd generator

Create an Apache .htpasswd line for HTTP Basic authentication. Supported formats: SHA‑1 ({SHA}...), APR1‑MD5 ($apr1$...), bcrypt ($2y$...) and Argon2i ($argon2i$...).

Enter a username, choose an algorithm and type the password twice. Click Generate and copy the result into your .htpasswd file.

• bcrypt: choose the cost (rounds). Default is 10.
• SHA‑1: produces {SHA} base64 digest (legacy).
• APR1‑MD5: uses a random 8‑character salt and outputs $apr1$ hashes (legacy).
• Argon2i: uses safe defaults (t=3, m=64 MiB, p=1) and runs in your browser via WebAssembly.

• Security: SHA‑1 and APR1‑MD5 are considered weak; prefer bcrypt or Argon2i for new deployments.
• Everything runs locally in your browser — we do not send your password anywhere.
• Be careful with clipboard history and shared machines.

• SHA‑1: admin:password → admin:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
• bcrypt (10 rounds): user:secret → user:$2y$10$<22‑char salt><31‑char hash> (random salt makes it different every time)
• APR1‑MD5: jane:secret → jane:$apr1$<salt>$<hash>
• Argon2i: dev:secret → dev:$argon2i$<params>$<salt>$<hash> (PHC format)

All salted algorithms (APR1‑MD5, bcrypt, Argon2i) produce different outputs for the same password — this is expected and improves security.

• What should I choose? For new setups, prefer bcrypt or Argon2i. Use SHA‑1/APR1 only for compatibility.
• Is this supported by Apache? $2y$ (bcrypt) and $argon2i$ are supported in Apache 2.4+; APR1‑MD5 is widely supported historically.
• Why is the hash different each time? Due to a random salt. It mitigates brute‑force and rainbow‑table attacks.
• How to verify a hash? On the server: htpasswd -vb .htpasswd username password (returns success/failure without modifying the file).
• Are any data sent? No. Everything happens in your browser; nothing is transmitted.