Create Apache & Nginx Basic-Auth Password Entries

Build a ready-to-paste .htpasswd line entirely in your browser. Choose bcrypt or APR1 MD5, set the work factor, and copy the result — nothing is ever uploaded.

10

Salts are generated with crypto.getRandomValues. Demo hashing runs locally; verify with the server-side htpasswd tool before production use.

How the hashes are built

Apache basic auth reads a flat file where each line is username:hash. The hash prefix tells the server which algorithm to verify against. This generator implements the two formats that matter today.

bcrypt entries start with $2y$, followed by a two-digit cost and a 22-character base-64 salt. The cost is an exponent: the underlying Blowfish key schedule is run 2^cost times, so raising the cost from 10 to 11 doubles the work an attacker must spend per guess. With cost 10 a modern CPU computes roughly 10–15 hashes per second per core — slow enough to blunt brute force, fast enough that a login feels instant. We surface the live estimate 2^cost iterations so you can balance security against server load before you commit a value.

APR1 entries start with $apr1$ and use Apache's iterated MD5 variant. The algorithm seeds an MD5 context with the password, an 8-character salt and the magic string, then folds the digest back into itself 1000 times in a fixed permutation before base-64 encoding the 16-byte result. It is portable and needs no bcrypt module, but MD5's speed makes it weak against modern GPUs — keep it only for legacy servers that cannot load mod_bcrypt.

The entropy meter scores your password with the Shannon-style estimate bits = length × log2(poolSize), where the character pool grows as you mix lowercase, uppercase, digits and symbols. A 12-character mixed password clears about 78 bits — comfortably past the 60-bit floor where offline cracking becomes practical. Because every step runs in JavaScript on your machine, your credentials never leave the page, which is the whole point of a client-side htpasswd generator: no plaintext password is transmitted to any third party.

Related Tools