.htpasswd Generator - Directory Protection for your Website

The secure .htpasswd generator. With the .htaccess and .htpasswd files you can protect a whole website or only single directories from visitors and search engines. Apache refers to this as Basic Authentification.

This page contains a JavaScript port of the Apache server’s htpasswd utility. To ensure your privacy, no server-side computation is involved, your data always remains in your browser.

.htpasswd Generator

Your Username

Your Desired Password

Choose an algorithm (optional)

... your .htpasswd content appears here

Paste the result into your .htpasswd file on your web server.

This app works completely client-side. Your passwords are not transmitted to our server.

How to set up password protection using .htaccess and .htpasswd.
My tutorial: Password protect web server directories:

Step 1: Create or edit the .htaccess file

The Apache HTTP Server configuration file .htacccss (German “Hypertext-Zugriff”) allows the user to pass directives to the web server. One use case is directory protection, where the .htaccess file is where the settings are made and the .htpasswd file is where the users and passwords are stored.

Setup for Apache and nginx

After that you will find the minimum configuration for password protection for the Apache and nginx web servers:

Apache .htaccess file

AuthUserFile /pfad/zur/.htpasswd
AuthName "Passwortgeschützt!"
AuthType Basic
Require valid-user

nginx Password Setup

location / {
  auth_basic "Passwortgeschützt!";
  auth_basic_user_file /pfad/zur/.htpasswd;
}

Copy the four lines above into your .htaccess file.

  • If you want to protect the whole website, the .htaccess file must be placed in the root directory of your website.
  • If you want to protect only a specific directory, the .htaccess file must be placed in that specific directory.

ATTENTION: The path to the .htpasswd must be specified away from the file system root.
Right: /var/www/vhosts/user/domain.com/.htpasswd
Wrong: /domain.com/.htpasswd

Step 2: Create .htpasswd file

Create a file called “.htpasswd” and place it in a different directory than the .htaccess. Preferably outside the document root so that it cannot be accessed at all via the web server.

Now generate the .htpasswd above with your username and password. Paste the result into the new file with an editor. Multiple users can be inserted one below the other:

franz:$2a$10$FD5dzX8liCeBzL002HiqMus9mLYJIjc0Srl5K/iUegyFn0b4gLoSG
hans:$2a$10$NdTiWGPcgCcc1Te2U.LgPe6533PZkC1ILMZwFrFw/1gVtkLcFlvfq

INFO: The name .htpasswd is not mandatory. You can freely use e.g. .passwd.

Step 3: Test or disable

The password protection is active as soon as you have changed and saved the .htaccess.

Apache directory protection in Chrome browser. .htpasswd generator
Apache directory protection in Chrome browser

Only when you have also stored the encrypted passwords in the .htpasswd, visitors can also access the protected directories. Never forget to test your logins!

You deactivate the protection by deleting the four inserted lines in the .htaccess. Alternatively, comment them out for later using “#”. Example:

#AuthUserFile /path/to/.htpasswd
#AuthName "Directory Protected!"
#AuthType Basic
#Require valid-user

Learn how to password protect only your wp-login.php file.

.htpasswed Infografik

.htpasswd Generator Infographic

On the right side you will find a clear infographic, where in 3 steps the directory protection is shown.

Technical information on directory protection

It is important to note that password hash functions are not encryption. Most of the older algos are considered insecure today. Only the bcrypt algorithm, which is selected as default in the .htpasswd generator, is recommended anymore.

Hashing algorithms

FORMAT Description
bcrypt$2y$ or $2a$ + the result of the crypt_blowfish algorithm. This algorithm is currently considered very secure. Bcrypt hashes are very slow to compute (which is one of the reasons why they are secure).
MD5“$apr1$” + the result of an Apache-specific algorithm which uses an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. Standard but insecure.
SHA1“{SHA}” + Base64-encoded SHA-1 digest of the password. Insecure.
Salted SHA1“{SSHA}” + Using Salt makes it more difficult to crack a list of passwords. However, it does not make dictionary attacks more difficult when cracking a single password. Considered insecure.
Plain TextPlain text passwords.
.htpasswd generator - for your directory protection
.htpasswd generator – for your directory protection

This .htpasswd generator uses the crypto-js and the bcrypt-js libraries for calculating the hash codes.