bcrypt vs MD5 APR1 vs SHA-1?

**Algorithm choice** depends on server age and requirements: - **bcrypt**: modern standard, slow (50-200ms per hash) with configurable cost, **resistant to brute force and GPU** - **MD5 APR1** (`$apr1$`): Apache classic from 1995, 1000 iterations of MD5 + salt; **much faster** than bcrypt (1ms), so **weaker** against brute force - **SHA-1** (`{SHA}`): single round, no salt, **cracked in hours** **Use bcrypt** for new setups; MD5 APR1 if the server is old; SHA-1 only on Nginx where you need minimal CPU.

Why is bcrypt "better" if it's slower?

**Slow hash = harder brute force**. SHA-1 runs in **0.0001ms**, attackers try **10B passwords/s**. **bcrypt cost=10** takes **50ms**, attackers manage **200/s**, **50 billion times slower**. For normal users 50ms at login is **unnoticeable**; for an attacker with trillions of passwords to try, **it's "minutes" vs "years"**.

What bcrypt cost should I pick?

**2024-2026 standard**: **cost=10** (~50-100ms). For banking / secrets management: **cost=12** (~400ms) or **14** (~1.5s). **cost=4-8 is dangerously fast, DO NOT use**. Don't exceed 14 unless you accept multi-second login times. **Note**: bcrypt cost is baked into the hash (`$2y$10$...`), changing cost requires **rehashing all passwords**.

**Yes**. Nginx **natively reads** Apache htpasswd format via `auth_basic_user_file /path/to/.htpasswd`. Accepts all 3 algorithms from our generator. **For a new Nginx-only setup, bcrypt is the best choice**.

Does my password reach the server?

**No**. All logic (**bcrypt, MD5 APR1, SHA-1**) runs in your browser. **bcrypt** via **bcryptjs** (pure JS), **MD5 APR1** via **hash-wasm**, **SHA-1** via **Web Crypto API**. **DevTools → Network** = no requests with the password.

Where should I put the .htpasswd file?

**OUTSIDE document root** (e.g. `/etc/apache2/passwords/.htpasswd` on Debian/Ubuntu, **NOT** `/var/www/html/.htpasswd` where someone could fetch it over HTTP). **Permissions**: `chmod 640`, **owner=root, group=www-data** (or nginx). Apache reads it through `AuthUserFile`, Nginx the same via `auth_basic_user_file`.

How do I add multiple users?

**Each user = ONE line** in the file. Generate an entry per user (change username + password, copy the new line), paste them all into **the same file**. Apache/Nginx scans every line and looks up matching usernames. **Bash alternative**: a loop calling `htpasswd -B file user pass` for each pair.

.htpasswd file generator - free

Generated line

Enter username and password to generate the line.

Username

Password

Algorithm

tools.htpasswd.algoHint_bcrypt

Bcrypt cost (2^10)

Hashing runs locally. Your password never leaves the browser.

How do I password-protect an Apache or Nginx page (basic auth)?

Generates an entry for a .htpasswd file: the line in `user:hash` format ready to paste into an Apache .htpasswd file or the `auth_basic_user_file` directive in Nginx.

Supports: bcrypt (recommended for 2024+, strongest), MD5 APR1 (`$apr1$`, Apache classic), SHA-1 (`{SHA}`, Nginx-compatible).

Everything is computed in your browser, the password never leaves.

How to use it

Type a username (e.g. "admin", "backup_user").

Type the password, the hash is computed instantly in the browser.

Pick the algorithm: bcrypt (strongest, ~50ms per hash, Apache 2.4+ and Nginx 1.10+), MD5 APR1 (Apache classic, works everywhere), SHA-1 (Nginx-only, weakest but fastest).

For bcrypt set the cost (4-14). Default 10 balances security and login latency (~50ms verify). 12+ for security-critical apps.

Copy the line or download as .htpasswd. Upload to the server in a safe place outside document root and reference from Apache (`AuthUserFile`) or Nginx (`auth_basic_user_file`).

When this is useful

Five typical situations where basic auth with .htpasswd is 100% sufficient:

Locking down a static site against indexing. Basic auth on a staging/test panel.
Protecting an `/admin/` directory in Apache.
Private package mirror (Composer, npm). Access for the team only.
Internal documentation site. Access to internal docs.
CI/CD artifact server. Private build artifact server.

For larger setups (10+ users) consider a dedicated identity provider, basic auth scales poorly. Single user or small team = the ideal use case.

The generator lets you add an entry without installing the htpasswd CLI or Apache utils.

Questions and answers

A text file with `user:hash` lines, used by Apache and Nginx for basic HTTP authentication. When the server gets a request with `Authorization: Basic ...`, it decodes user:password, looks the user up in the file, and compares the password hash to the stored one. A standard since the 1990s: simple, but limited (no sessions, no logout, password sent base64 on every request).

How do I password-protect an Apache or Nginx page (basic auth)?

Generates an entry for a .htpasswd file: the line in `user:hash` format ready to paste into an Apache .htpasswd file or the `auth_basic_user_file` directive in Nginx.

Supports: bcrypt (recommended for 2024+, strongest), MD5 APR1 (`$apr1$`, Apache classic), SHA-1 (`{SHA}`, Nginx-compatible).

Everything is computed in your browser, the password never leaves.

How to use it

Type a username (e.g. "admin", "backup_user").

Type the password, the hash is computed instantly in the browser.

Pick the algorithm: bcrypt (strongest, ~50ms per hash, Apache 2.4+ and Nginx 1.10+), MD5 APR1 (Apache classic, works everywhere), SHA-1 (Nginx-only, weakest but fastest).

For bcrypt set the cost (4-14). Default 10 balances security and login latency (~50ms verify). 12+ for security-critical apps.

Copy the line or download as .htpasswd. Upload to the server in a safe place outside document root and reference from Apache (`AuthUserFile`) or Nginx (`auth_basic_user_file`).

When this is useful

Five typical situations where basic auth with .htpasswd is 100% sufficient:

Locking down a static site against indexing. Basic auth on a staging/test panel.
Protecting an `/admin/` directory in Apache.
Private package mirror (Composer, npm). Access for the team only.
Internal documentation site. Access to internal docs.
CI/CD artifact server. Private build artifact server.

For larger setups (10+ users) consider a dedicated identity provider, basic auth scales poorly. Single user or small team = the ideal use case.

The generator lets you add an entry without installing the htpasswd CLI or Apache utils.

Questions and answers

.htpasswd file generator

How do I password-protect an Apache or Nginx page (basic auth)?

How to use it

When this is useful

Questions and answers

Related tools

Password Hashes: MD5, SHA, bcrypt

Password Generator

Pwned Password Check

.htpasswd file generator

How do I password-protect an Apache or Nginx page (basic auth)?

How to use it

When this is useful

Questions and answers

Related tools

Password Hashes: MD5, SHA, bcrypt

Password Generator

Pwned Password Check