Back to tools

What is .htpasswd?

.htpasswd is a flat-file used by the Apache HTTP Server to store usernames and passwords for HTTP basic authentication. The file was first implemented in the NCSA HTTPd server, Apache's predecessor. Each line contains a username, followed by a colon and the hashed password using algorithms such as bcrypt, SHA-1, or MD5.

Apache 2.4 added support for bcrypt, the only algorithm still considered secure today. The file is referenced from the .htaccess configuration and can protect entire directories or specific files.

Available algorithms

  • Bcrypt: Recommended. Uses automatic salt and allows configuring computational cost. Resistant to brute force attacks.
  • SHA-1: Generates SHA-1 hashes. Compatible with most legacy systems, but considered obsolete for password storage.
  • MD5: Legacy compatibility only. Very fast and not resistant to attacks. Only use if required by the system.

Common Use Cases

  • Protecting admin directories: Restrict access to admin panels or sensitive areas of a website using basic authentication.
  • Staging and development environments: Block public access to pre-production or in-development sites with an extra security layer.
  • Private repositories on web servers: Limit file or documentation downloads to authorized users only.
  • Simple authentication without a database: Implement a basic login system without needing a database or additional infrastructure.