LinuxCommandLibrary

htpasswd

Create and update user authentication files

TLDR

Create/overwrite htpasswd file

$ htpasswd -c [path/to/file] [username]
copy

Add user to htpasswd file or update existing user
$ htpasswd [path/to/file] [username]
copy

Add user to htpasswd file in batch mode without an interactive password prompt (for script usage)
$ htpasswd -b [path/to/file] [username] [password]
copy

Delete user from htpasswd file
$ htpasswd -D [path/to/file] [username]
copy

Verify user password
$ htpasswd -v [path/to/file] [username]
copy

Display a string with username (plain text) and password (md5)
$ htpasswd -nbm [username] [password]
copy

SYNOPSIS

htpasswd [ options ] passwordfile username

PARAMETERS

-c
    Create a new password file. If the file already exists, it will be overwritten. Use with caution!

-n
    Do not update the password file; instead, display the results on standard output.

-m
    Force MD5 encryption of the password (default on some systems, but strongly discouraged due to security risks).

-d
    Force CRYPT encryption of the password.

-s
    Force SHA1 encryption of the password (discouraged).

-p
    Do not encrypt passwords, use plaintext.

-B
    Force bcrypt encryption of the password (recommended).

-r
    Force APR MD5 encryption of the password.

-D
    Delete username from the password file.

-v
    Verbose mode.

-b
    Use batch mode; read username and password from command line (less secure).

passwordfile
    The path to the password file.

username
    The username to add or modify.

password
    The password for the user (only when using -b).

DESCRIPTION

The htpasswd command is used to create and update the username/password authentication files used by Apache HTTP Server. These files store usernames and encrypted passwords that Apache can use to authenticate users trying to access restricted areas of a website. htpasswd provides a simple and secure way to manage user credentials without storing them directly in the Apache configuration files. It supports various password encryption algorithms like bcrypt, SHA1, and MD5 (though MD5 is highly discouraged due to security vulnerabilities). It's crucial to choose a strong encryption method and to regularly update passwords for better security. When adding or modifying users, htpasswd ensures proper formatting of the authentication file, which is essential for Apache to correctly interpret the data. The tool is essential for basic authentication schemes for web servers running Apache.

CAVEATS

Storing passwords in MD5 or SHA1 is highly discouraged due to security vulnerabilities. Always use bcrypt or a more secure algorithm. Also be aware when using the -b parameter since the password can be seen on the command line.

EXAMPLES

Creating a new htpasswd file:
htpasswd -c .htpasswd username

Adding a user to an existing file:
htpasswd .htpasswd username

Deleting a user:
htpasswd -D .htpasswd username

SECURITY CONSIDERATIONS

Always choose strong passwords and use bcrypt encryption for enhanced security. Protect the .htpasswd file by restricting access with appropriate file permissions to prevent unauthorized modifications.

SEE ALSO

apache2(8)

Copied to clipboard