htpasswd – The file to store passwords

Htpasswd files are used when password protecting a website or a directory using HTTP Authentication and Apache’s htaccess files.

The htpasswd file contains username in plain text (unencrypted) and a hashed (encrypted) password. Here’s an example:

andreas:$apr1$dHjB0/..$mkTTbqwpK/0h/rz4ZeN8M0
john:$apr1$IHaD0/..$N9ne/Bqnh8.MyOtvKU56j1

Each line contains a username and a password separated by a colon ":". You can not see the actual passwords as they are hashed (encrypted) using a complex algorithm. The default algorithm is different from platform to platform. On Windows the passwords are hashed using MD5, and on Linux its based on a system function called “crypt()”. The htpasswd generator on this site uses MD5 which means that the hashed passwords can be used on both Windows and Linux.

Filename

Normally the htpasswd file is named .htpasswd, but you are actually free to name your password file what every you like. It is perfectly valid to use a name like "passwords.txt" which may seem more appealing to Windows users. However there is one catch. Apache is usually configured to prevent access to .ht* files – starting with ".ht". If you name your password file "passwords.txt", a user can access it, and retrieve all valid usernames. Since the passwords are hashed he can’t use them directly, but it will help him gain access using brute force.

It is therefore recommended to name a password file .htpasswd.

Generating password

Hashed passwords can be generated with the command-line tool htpasswd (htpasswd.exe on Windows) which is part of a normal Apache installation. You can also create passwords using the htpasswd generator on this site, or create passwords yourself using PHP.