Question 1

What is an .htpasswd file?

Accepted Answer

An .htpasswd file is the credential store used by Apache's mod_auth_basic and Nginx's auth_basic for HTTP Basic Authentication. Each line is one user, formatted as username:hashed_password. When a browser requests a protected resource, the server prompts for credentials, the browser sends them in a base64-encoded Authorization header, and the server hashes the supplied password using the same algorithm as the stored hash, then compares. The file is typically named .htpasswd by convention but the name can be anything — the leading dot just hides it from default ls listings on Unix. Apache also looks for matching .htaccess files to find which directories to protect; Nginx requires explicit auth_basic directives in the server or location block.

Question 2

Which algorithm should I use — bcrypt, APR1, or SHA-1?

Accepted Answer

Bcrypt, every time, unless you have a specific reason not to. Bcrypt support landed in Apache 2.4 (2012) and works in every modern version. It's the only algorithm in htpasswd that's deliberately slow — by design, each hash takes around 100 milliseconds at the default cost 10, which makes brute-force attacks against a stolen .htpasswd file infeasible. APR1 (Apache's modified MD5) uses 1000 rounds of MD5 — it's salted and slower than plain MD5 but it's still only ~5,000× harder to crack than raw MD5, well within reach of a single GPU. SHA-1 in htpasswd is unsalted and effectively useless against modern attackers. DES crypt truncates passwords at 8 characters and is trivially crackable. Use bcrypt unless you're maintaining a legacy Apache 2.0 or 2.2 install that doesn't support it.

Question 3

Why does Apache require $2y$ instead of $2a$ or $2b$?

Accepted Answer

Apache's mod_auth_basic and the htpasswd CLI tool only accept bcrypt hashes with the $2y$ identifier. The bcrypt format has gone through several prefix revisions ($2$, $2a$, $2b$, $2x$, $2y$) to fix interoperability bugs across implementations. $2y$ was specifically added by PHP in 2012 to mark hashes generated after a security fix. Apache adopted $2y$ as the only accepted prefix in htpasswd to ensure compatibility with that fix. This generator emits $2y$ automatically — the underlying bcryptjs library produces $2a$ or $2b$ which is normalized to $2y$ before output. The actual cryptographic content is identical; only the prefix differs.

Question 4

How do I add this line to my .htpasswd file?

Accepted Answer

Three options. (1) Append from the command line: copy the generated line, then run `echo 'admin:$2y$10$...' >> /etc/apache2/.htpasswd`. The double angle bracket appends; a single one overwrites. (2) Edit the file directly with vim, nano, or your editor of choice — make sure the file ends with a newline. (3) Use the htpasswd CLI tool: `htpasswd -B /etc/apache2/.htpasswd admin` will prompt for a password and append the bcrypt-hashed line. The advantage of this tool over `htpasswd` is that it runs in your browser without needing Apache utils installed, and shows you exactly what each algorithm produces side-by-side.

Question 5

What's the difference between APR1 and standard MD5?

Accepted Answer

Standard MD5 is a single-pass hash of the password — fast and unsalted. APR1 is Apache's modification that adds an 8-character salt and runs 1000 iterations of MD5 with a specific compositing scheme designed by Poul-Henning Kamp for FreeBSD in the 1990s. The format $apr1$salt$hash makes the salt explicit. Despite the iteration count, APR1 is now considered weak — a single GPU can compute roughly 50 million APR1 attempts per second, meaning a 10-character password takes only days to brute-force. Apache documentation specifically recommends migrating from APR1 to bcrypt for new htpasswd entries.

Question 6

Where do I configure Apache to use this file?

Accepted Answer

In your Apache config (httpd.conf, the relevant virtual host file, or a .htaccess file in the protected directory), add a Location or Directory block: ` AuthType Basic AuthName "Restricted" AuthUserFile /path/to/.htpasswd Require valid-user `. The path in AuthUserFile must be absolute and the .htpasswd file must be readable by the user Apache runs as (usually www-data on Debian/Ubuntu or apache on RHEL/CentOS). For security, place .htpasswd OUTSIDE the document root — never inside a directory the web server might serve. After saving the config, run `apachectl configtest` to validate syntax, then `apachectl graceful` to reload without dropping connections.

Question 7

Where do I configure Nginx to use this file?

Accepted Answer

In your Nginx server or location block, add two directives: `auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd;`. The first sets the realm shown in the browser's authentication prompt; the second points to the password file. Nginx accepts the same .htpasswd format as Apache, including bcrypt $2y$, APR1 $apr1$, and SHA-1 {SHA} hashes. Place the file outside Nginx's document root (e.g. /etc/nginx/ is conventional). After editing, run `nginx -t` to test the configuration and `nginx -s reload` to apply. Unlike Apache, Nginx doesn't support .htaccess-style per-directory overrides — all auth configuration must live in your main config files.

Question 8

Can I use this with .htaccess?

Accepted Answer

Yes, this is the classic use case. Place a .htaccess file in the directory you want to protect with these contents: `AuthType Basic AuthName "Protected" AuthUserFile /path/to/.htpasswd Require valid-user`. The AuthUserFile path must be absolute. Apache must also be configured to honor .htaccess overrides — either globally (`AllowOverride AuthConfig` in the main config) or per-directory. For .htaccess to be useful, the protected directory's parent must have `AllowOverride All` or at least `AllowOverride AuthConfig`. If your hosting provider doesn't allow .htaccess, you'll need to put the auth block in your virtual host config instead.

Question 9

Is bcrypt cost 10 enough in 2026?

Accepted Answer

For new htpasswd files, OWASP recommends bcrypt cost ≥ 10 as of the 2024 Password Storage Cheat Sheet. Cost 10 means 2^10 = 1,024 iterations of the internal Blowfish key schedule, which takes around 100 milliseconds per hash on a modern server. That's still substantial — a single GPU runs ~30,000 cost-10 bcrypt attempts per second, so an 8-character random password takes years to brute-force. Cost 12 (4× slower) is becoming the new default in most languages' standard libraries; cost 14 adds another 16× margin but pushes login times noticeably over 1 second. For high-value targets, use cost 12-14. For an internal admin panel with a strong 16-char password, cost 10 is fine. The cost in this tool is adjustable via the slider — pick what your server can handle without making logins feel slow.

Algorithm	Prefix	Salted	Speed (1 GPU)	Verdict
bcrypt	$2y$	Yes	~30K/sec	Recommended
APR1	$apr1$	Yes	~50M/sec	Legacy only
SHA-1	{SHA}	No	~25B/sec	Don't use
DES crypt	(13 chars)	2-byte	~700M/sec	Broken

HTPasswd Generator

Algorithm Comparison

Apache Configuration Example

Nginx Configuration Example

Common Pitfalls

Frequently Asked Questions