.htpasswd is a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server. The name of the file is given in the .htaccess configuration, and can be anything, although ".htpasswd" is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with a dot to be hidden. The htpasswd command is used to manage .htpasswd file entries.
htpasswd - Manage user files for basic authentication - Apache HTTP Server Version 2.4
httpd.apache.org →Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd . This program can only manage usernames and passwords stored in a flat-file. It can hash and display password information for use in other types of data stores, though. To use a DBM database see dbmmanage or htdbm . htpasswd hashes passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's crypt() routine. SHA-2-based hashes (SHA-256 and SHA-512) are supported for crypt() . Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-hashed passwords while others in the same file may have passwords hashed with crypt() . This manual page only lists the command line arguments. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at . Use batch mode; i.e. , get the password from the command line rather than prompting for it. This option should be used with extreme care, since the password is clearly visible on the command line. For script use see the -i option. Available in 2.4.4 and later. Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option. Display the results on standard output rather than updating a file. This is useful for generating password records acceptable to Apache for inclusion in non-text data stores. This option changes the syntax of the command line, since the passwdfile argument (usually the first one) is omitted. It cannot be combined with the -c option. Use MD5 hashing for passwords. This is the default (since version 2.2.18). Use SHA-256 crypt() based hashes for passwords. This is supported on most Unix platforms. Use SHA-512 crypt() based hashes for passwords. This is supported on most Unix platforms. Use bcrypt hashing for passwords. This is currently considered to be very secure. Use crypt() hashing for passwords. This is not supported by the httpd server on Windows and Netware. This algorithm limits the password length to 8 characters. This algorithm is insecure by today's standards. It used to be the default algorithm until version 2.2.17. Use SHA-1 (160-bit) hashing for passwords. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif). This algorithm is insecure by today's standards. Use plaintext passwords. Though htpasswd will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware. Verify password. Verify that the given password matches the password of the user stored in the specified htpasswd file. Available in 2.4.5 and later. The plaintext password to be hashed and stored in the file. Only used with the -b flag. Adds or modifies the password for user jsmith . The user is prompted for the password. The password will be hashed using the modified Apache MD5 algorithm. If the file does not exist, htpasswd will do nothing except return an error. Encrypts the password from the command line ( Pwd4Steve ) using the crypt() algorithm, and stores it in the specified file. Web password files such as those managed by htpasswd should not be within the Web server's URI space -- that is, they should not be fetchable with a browser. When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded. The SHA-1 hashing format does not use salting: for a given password, there is only one hashed representation. The crypt() and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult. The SHA-2-based crypt() formats (SHA-256 and SHA-512) are supported on most modern Unix system
~2 min read
.htpasswd is a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server. The name of the file is given in the .htaccess configuration, and can be anything, although ".htpasswd" is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with a dot to be hidden. The htpasswd command is used to manage .htpasswd file entries.
== History == htpasswd was first added in the NCSA HTTPd server, which is the predecessor to Apache. The hash historically used "UNIX crypt" style with MD5 or SHA1 as common alternatives. In Apache 2.4, the bcrypt algorithm was added.
Excerpt from a page describing this subject · 13,628 chars · not written by Vinony
via Wikidata · CC0
Discovered by embedding cosine similarity (sentence-transformers MiniLM, 384-dim).