LinuxCommandLibrary

htpasswd

Create and update user authentication files

TLDR

Create/overwrite htpasswd file

$ htpasswd -c [path/to/file] [username]
copy

Add user to htpasswd file or update existing user
$ htpasswd [path/to/file] [username]
copy

Add user to htpasswd file in batch mode without an interactive password prompt (for script usage)
$ htpasswd -b [path/to/file] [username] [password]
copy

Delete user from htpasswd file
$ htpasswd -D [path/to/file] [username]
copy

Verify user password
$ htpasswd -v [path/to/file] [username]
copy

Display a string with username (plain text) and password (md5)
$ htpasswd -nbm [username] [password]
copy

SYNOPSIS

htpasswd [-options] passwordfile username
htpasswd -c|b|D|v [-options] passwordfile username

PARAMETERS

-b
    Use password from command line rather than prompting

-c
    Create new passwordfile (overwrites if exists)

-C cost
    Set bcrypt cost factor (4-31, default 10)

-d
    Use crypt() DES encryption (weak, deprecated)

-D
    Delete specified user from passwordfile

-m
    Use MD5 encryption (default)

-B
    Use bcrypt encryption (recommended)

-p
    Store unencrypted plaintext password (insecure)

-P
    Use Apache APR MD5 encryption

-s
    Use SHA-1 encryption

-S
    Use Apache server-side SHA encryption

-t
    Show detected encryption in output

-v
    Verify password for existing user

DESCRIPTION

htpasswd is a command-line utility from the Apache HTTP Server suite used to create and update flat-file databases containing usernames and encrypted passwords for HTTP basic authentication. It supports various encryption methods like MD5 (default), bcrypt, SHA-1, and crypt, allowing secure storage of credentials referenced in .htaccess files or server configuration directives such as AuthUserFile.

Typically invoked to add, delete, or verify users, it prompts for passwords interactively or accepts them via command line for scripting. The password file is usually placed outside the web root for security, e.g., /etc/apache2/.htpasswd. It integrates with Apache modules like mod_authn_file and mod_auth_basic.

Bcrypt (-B) is recommended for modern setups due to strength against brute-force attacks; avoid plaintext (-p). Verification (-v) checks credentials without modifying files. Widely used in web server hardening, CGI scripts, and development environments.

CAVEATS

Password files must be protected (chmod 600); use HTTPS with basic auth; avoid weak algos like -d or -p; bcrypt limited by CPU cost.

EXAMPLE USAGE

Create file: htpasswd -c -B /etc/.htpasswd user
Add user: htpasswd -B /etc/.htpasswd newuser
Delete: htpasswd -D /etc/.htpasswd user

FILE FORMAT

Colon-separated: username:encrypted_password (one per line)

HISTORY

Developed for Apache HTTP Server 0.6.2 (1995); enhanced in Apache 2.4 with bcrypt (-B, 2012) and Argon2 support in later patches; standard in most Linux distros via apache2-utils package.

SEE ALSO

apache2(8), httpd(8), .htaccess(5), htdigest(1)

Copied to clipboard