TPToolpazar

Global Araç

Htpasswd Generator

.htpasswd satırını görmek için bir şifre yazın. Hash'leme tarayıcınızda gerçekleşir — hiçbir şey yüklenmez.

Üretim için bcrypt kullanın

Yukarıdaki {SHA} özeti tuzsuz SHA-1'dir — küçük bir dahili test sunucusu için uygundur, halka açık bir siteye karşı çevrimdışı kaba kuvvet saldırılarına karşı zayıftır. Gerçek üretim için satırı Apache'nin htpasswd -B -c .htpasswd user (bcrypt) komutuyla oluşturun. Tarayıcıda bcrypt WASM ile mümkündür ancak buradaki tipik kullanım senaryosu için paketlemeye değmeyecek ağır bir bağımlılık ekler.

An htpasswd generator builds the credential lines used by Apache and nginx for HTTP Basic Auth: a username, a colon, and a hashed password. You stick the line in a .htpasswd file; the web server reads it on every request to protected paths. Useful for staging environments, internal admin pages, or any quick-and-dirty authentication that doesn't justify a full identity provider.

Hashing happens in your browser via the Web Crypto API — your password never leaves the device. The generator uses the SHA-1 digest format ({SHA} prefix) — Apache's standard and supported by every modern web server. For production, run Apache's actual htpasswd -B command to get a bcrypt-hashed line — that's the only password-hash function safe against offline brute force, and shipping bcrypt-WASM in a 10-KB browser tool isn't worth the dependency for the typical use case.

Nasıl Kullanılır

  1. Type a username and password.
  2. Copy the .htpasswd line from the Result box (or click Copy line).
  3. Save it to a file (typically /etc/nginx/.htpasswd or /etc/apache2/.htpasswd, but anywhere outside the web root works).
  4. Paste the matching nginx or Apache config snippet into your server block / vhost / .htaccess.
  5. Reload the web server. Visit the protected URL — you'll get a Basic Auth prompt.

Ne Zaman Kullanılır

  • Putting a Basic Auth wall in front of a staging environment so search engines don't index it.
  • Locking down a server-side admin panel (phpMyAdmin, Munin, Grafana behind a reverse proxy).
  • Quickly password-protecting a static site you've thrown on a VPS.

Ne Zaman Kullanılmaz

  • Public-facing user accounts — Basic Auth has no logout, no password reset, no rate limiting. Use a real auth system (Auth0, Clerk, Supabase Auth, Keycloak).
  • Single-page apps where you want a polished login form — Basic Auth's browser dialog is browser-controlled and ugly.
  • High-security admin access — pair Basic Auth with a VPN / Tailscale / Cloudflare Access at minimum, never expose admin UI to the public internet behind only Basic Auth.

Nasıl Çalışır

Web Crypto's crypto.subtle.digest("SHA-1", ...) hashes the password bytes into a 20-byte digest, base64-encoded and prefixed with {SHA} per Apache's convention. The line shape: username:{SHA}base64digest.

On every request to a protected path, the server reads the .htpasswd file, looks up the username, hashes the password the client sent, and compares to the stored digest. SHA-1 is fast both for legitimate verification and for an attacker doing offline brute force — that's why bcrypt is preferred for anything more sensitive than a private staging server.

Örnek

Girdi
admin / hunter2
Çıktı
admin:{SHA}9HmlXAKdJ/jQ7KBEEkN+s5Xrwt0=

Apache and nginx both accept this format. The {SHA} prefix tells the server to verify by SHA-1-base64 of the supplied password.

Sık Sorulan Sorular

Why SHA and not bcrypt?

Bcrypt requires a WASM library (~80 KB) to run in-browser; not worth bundling for one tool. Apache's `htpasswd -B` produces bcrypt lines locally; we recommend running it for production. For a small private staging server, the SHA digest is fine.

Where do I put the .htpasswd file?

Anywhere outside the web root. Common: /etc/nginx/.htpasswd or /etc/apache2/.htpasswd. Set chmod 600 (use the chmod calculator) so only the web server user can read it.

Can I have multiple users?

Yes — generate one line per user and append them all to .htpasswd. The web server reads the whole file on every request (cached) and matches by username.

How do I delete a user?

Edit .htpasswd and remove the line. Reload the web server (`nginx -s reload` / `systemctl reload apache2`). The user's session is gone immediately — Basic Auth is stateless.

What about HTTPS?

Critical. Basic Auth sends `username:password` base64-encoded in every request. Without HTTPS, anyone on the network sees credentials in plaintext. Always pair Basic Auth with HTTPS.