What is .htpasswd?
.htpasswd is a flat-file used by the Apache HTTP Server to store usernames and passwords for HTTP basic authentication. The file was first implemented in the NCSA HTTPd server, Apache's predecessor. Each line contains a username, followed by a colon and the hashed password using algorithms such as bcrypt, SHA-1, or MD5.
Apache 2.4 added support for bcrypt, the only algorithm still considered secure today. The file is referenced from the .htaccess configuration and can protect entire directories or specific files.
Available algorithms
- Bcrypt: Recommended. Uses automatic salt and allows configuring computational cost. Resistant to brute force attacks.
- SHA-1: Generates SHA-1 hashes. Compatible with most legacy systems, but considered obsolete for password storage.
- MD5: Legacy compatibility only. Very fast and not resistant to attacks. Only use if required by the system.
Common Use Cases
- Protecting admin directories: Restrict access to admin panels or sensitive areas of a website using basic authentication.
- Staging and development environments: Block public access to pre-production or in-development sites with an extra security layer.
- Private repositories on web servers: Limit file or documentation downloads to authorized users only.
- Simple authentication without a database: Implement a basic login system without needing a database or additional infrastructure.
Related Tools
Hash Generator
Calculate SHA-256, SHA-512 and MD5 hashes for large files
X.509 Certificate Extractor
Extract information from SSL/TLS certificates in PEM format
SRI Generator
Generate Subresource Integrity (SHA-384) hashes to verify CDN resources.
PEM to PFX Converter
Convert PEM certificate and private key to a protected PFX/P12 file.