Home Security Files .htpasswd
.htpasswd

What is a .htpasswd file?

Apache basic-auth user database — usernames and password hashes, one per line. Read by Apache, nginx, and the htpasswd CLI.

Use caution
Type Security
By Apache Software Foundation
MIME text/plain

Drop any file to identify it

No upload. No signup. No sending your file halfway across the internet.
We tell you what it is, right here in your browser.

Need to convert it? fwip it →

What is it

An .htpasswd file stores the user/password pairs Apache (or nginx with the right module) checks for HTTP Basic Authentication. Format is `username:hash` per line — usernames in plain text, passwords hashed with bcrypt, MD5 (Apache's APR1 variant), SHA-1, or crypt. bcrypt is the only option you should use today; anything else is fast enough to brute-force from a leaked file.

Generate with the `htpasswd` CLI (ships with Apache): `htpasswd -B -c .htpasswd alice` creates a new file with a bcrypt-hashed password for alice. The `-c` flag creates a new file — never use it on an existing file because it overwrites everything. The `-B` flag selects bcrypt. Drop the resulting file outside your web root so it can't be served — typical placement is `/etc/apache2/.htpasswd` or `/etc/nginx/.htpasswd`.

Basic Auth is fine for low-stakes protection: a staging site gated from the public internet, an internal admin page, a private package registry. The password is sent on every request as base64 (not encryption — just encoding) so always serve it over HTTPS. For real authentication, use a session-based system (cookies, JWTs, OAuth). .htpasswd files are also commonly used in CI/CD to gate access to private Docker registries and self-hosted package indexes.

Technical details
Full Name
.htpasswd
MIME Type
text/plain
Developer
Apache Software Foundation
Magic Bytes
N/A
Safety
.htpasswd requires caution. Contains password hashes. Even bcrypt-hashed files should never be public — leaked hashes can be cracked offline. Keep .htpasswd outside the web root and out of version control.
What opens it
Any text editor
FREE All
htpasswd (CLI)
FREE All

* For generating / managing entries

FAQ
Is bcrypt the only safe hash format for .htpasswd?
Practically yes. Apache supports MD5 (APR1), SHA-1, crypt, and bcrypt — but only bcrypt is slow enough to resist offline brute-force from a leaked file. Use `htpasswd -B` to force bcrypt. Existing files using MD5 should be regenerated.
Should .htpasswd be in my git repo?
No. The file contains password hashes — even bcrypt hashes can be cracked given enough compute, and committing them creates a permanent record that survives password rotations. Keep .htpasswd out of git and provision it separately (server config management, CI secrets, manual deploy).
How do I add a user without overwriting existing ones?
`htpasswd -B .htpasswd newuser` (without `-c`). The `-c` flag creates a new file from scratch and overwrites everything — use it once when first creating the file, then never again.
Related formats
.htaccess
.htaccess