Which algorithm does this use?

APR1 implements Apache's $apr1$ MD5 crypt format exactly — a 1000-round MD5 derivation with an 8-character random salt and Apache's custom base64 ordering. The SHA-1 option produces {SHA} followed by base64 of SHA1(password), the htpasswd -s format.

Why does the hash change every time for the same password?

APR1 uses a fresh random salt on each generation, so the resulting hash differs each time. This is correct and expected — Apache verifies the password against the embedded salt. SHA-1 has no salt and is therefore deterministic.

Should I use APR1 or SHA-1?

Prefer APR1 (Apache MD5) for most setups — it is salted and iterated, so it resists precomputed (rainbow-table) attacks far better than the unsalted SHA-1 scheme. Use SHA-1 only if a tool specifically requires the {SHA} format.

Where do I put the generated entry?

Paste the username:hash line into your .htpasswd file (one per line), then point your server at it — AuthUserFile in Apache, or auth_basic_user_file in Nginx — for a protected location.

Is HTTP Basic Auth secure on its own?

Only over HTTPS. Basic Auth sends the username and password base64-encoded (not encrypted) on every request, so always serve the protected area over TLS to keep credentials private in transit.

Is my password sent anywhere?

No. Both the APR1 and SHA-1 hashing run entirely in your browser using a self-contained MD5 implementation and the Web Crypto API. The password is never transmitted or stored.

htpasswd Generator — Gera Tools

htpasswd generator

Create .htpasswd entries for Apache and Nginx HTTP Basic Auth. Choose the APR1 (Apache MD5) crypt format used by htpasswd -m, or the SHA-1 {SHA} base64 scheme used by htpasswd -s, and copy the username:hash line straight into your password file.

How it works

For APR1 the tool follows the published Apache algorithm exactly: it draws a random 8-character salt, then runs a 1000-round MD5 key-derivation that repeatedly folds the password and salt together, and encodes the result with Apache’s custom base64 alphabet, producing $apr1$<salt>$<hash>. The salting and iteration make it resistant to rainbow-table attacks, and a new salt each run means the same password yields a different (still valid) hash every time. For SHA-1 it computes {SHA} + base64 of SHA1(password) via the Web Crypto API — unsalted and therefore deterministic.

Example

Username admin, password secret, APR1 scheme produces a line like:

admin:$apr1$Xy3kP9aZ$h0Q1m...

Add it to .htpasswd, then protect a directory:

AuthType Basic
AuthName "Restricted"
AuthUserFile /path/.htpasswd
Require valid-user

Scheme	Format	Salted	htpasswd flag
APR1	$apr1$…	Yes	-m
SHA-1	`{SHA}base64`	No	-s

It is privacy-first: the password is hashed entirely in your browser and never leaves your device. Always serve Basic Auth over HTTPS.