htpasswd generator - password encryption

This web app is a JavaScript port of Apache server's htpasswd utility. In order to ensure total privacy, no server-side computing is involved, your data stays in your browser. This app is totally client-side, I even encourage you to use it offline.
In your browser, the cryptographic random number generator is available


Users (one per line, with or without a password) : Hashing algorithm :

Password generator options

htpasswd file

The crypt(3) algorithm truncates all passwords to 8 characters max.
Your data contains non-ascii characters. The password file will have to be saved in ISO-8859-1 for Firefox and Chrome, or UTF-8 for Opera. If you want to ensure browser compatibility, use only ASCII.
Your data contains unicode characters. only Opera can handle unicode authentication, if your password file is saved in UTF-8.

Hashing algorithms

bcrypt $2y$ or $2a$ prefix
This algorithm is currently considered to be very secure. Bcrypt hashes are very slow to compute (which is one one the reasons why they are secure). The cost parameter sets the computing time used (higher is more secure but slower, default: 5, valid: 4 to 31).
Warning : think carefully before you try values above 10, this thing is really slow. You could freeze your computer.
Compatibility : Apache since version 2.4 (needs apr-util 1.5+)
md5 (APR) $apr1$ prefix
Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random salt and the password. This is the default (since Apache version 2.2.18).
Compatibility : all Apache versions, Nginx 1.0.3+.
crypt(3) no prefixe
It used to be the default algorithm until Apache version 2.2.17. It limits the password length to 8 characters. Considered insecure.
Compatibility : all Apache and Nginx versions, Unix only.
salted sha-1 {SSHA} prefix
Considered insecure. The use of salt makes it more time-consuming to crack a list of passwords. However, it does not make dictionary attacks harder when cracking a single password.
Compatibility : Nginx 1.0.3+ only.
sha-1 {SHA} prefix
Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif). This algorithm is insecure by today's standards.
Compatibility : all Apache versions, Nginx 1.3.13+.
Plaintext (no hashing) no prefix for Apache, {PLAIN} for Nginx
Use plaintext passwords. Insecure.
Compatibility : all Windows and Netware Apache versions, Nginx 1.0.3+.

Setting up your server

• The directory in which you place your password file must not be accessible from the web, or your users could download it.
• Use an https connection if you can, to avoid transferring credentials in plain text.

Apache .htaccess file

AuthUserFile /path/to/htpasswd
AuthGroupFile /dev/null
AuthName "Authorized personnel only."
AuthType Basic
Require valid-user

Nginx configuration

location  /  {
  auth_basic  "Authorized personnel only.";
  auth_basic_user_file  /path/to/htpasswd;