1HTPASSWD(1)                        htpasswd                        HTPASSWD(1)
2
3
4

NAME

6       htpasswd - Manage user files for basic authentication
7
8

SYNOPSIS

10       htpasswd [ -c ] [ -i ] [ -m | -B | -2 | -5 | -d | -s | -p ] [ -r rounds
11       ] [ -C cost ] [ -D ] [ -v ] passwdfile username
12
13
14       htpasswd -b [ -c ] [ -m | -B | -2 | -5 | -d | -s | -p ] [ -r rounds ] [
15       -C cost ] [ -D ] [ -v ] passwdfile username password
16
17
18       htpasswd -n [ -i ] [ -m | -B | -2 | -5 | -d | -s | -p ] [ -r rounds ] [
19       -C cost ] username
20
21
22       htpasswd -nb [ -m | -B | -2 | -5 | -d | -s | -p ] [ -r rounds  ]  [  -C
23       cost ] username password
24
25
26

SUMMARY

28       htpasswd  is  used  to  create  and update the flat-files used to store
29       usernames and password for  basic  authentication  of  HTTP  users.  If
30       htpasswd  cannot  access a file, such as not being able to write to the
31       output file or not being able to read the file in order to  update  it,
32       it returns an error status and makes no changes.
33
34
35       Resources  available  from  the Apache HTTP server can be restricted to
36       just the users listed in the files created by  htpasswd.  This  program
37       can  only  manage usernames and passwords stored in a flat-file. It can
38       encrypt and display password information for use in other types of data
39       stores, though. To use a DBM database see dbmmanage or htdbm.
40
41
42       htpasswd encrypts passwords using either bcrypt, a version of MD5 modi‐
43       fied for Apache, SHA-1, or the system's  crypt()  routine.  SHA-2-based
44       hashes  (SHA-256  and SHA-512) are supported for crypt(). Files managed
45       by htpasswd may contain a mixture of different encoding types of  pass‐
46       words;  some  user  records  may have bcrypt or MD5-encrypted passwords
47       while others in  the  same  file  may  have  passwords  encrypted  with
48       crypt().
49
50
51       This  manual page only lists the command line arguments. For details of
52       the directives necessary to configure user authentication in httpd  see
53       the  Apache  manual, which is part of the Apache distribution or can be
54       found at http://httpd.apache.org/.
55
56
57

OPTIONS

59       -b     Use batch mode; i.e., get the password  from  the  command  line
60              rather  than  prompting  for it. This option should be used with
61              extreme care, since the password is clearly visible on the  com‐
62              mand  line. For script use see the -i option. Available in 2.4.4
63              and later.
64
65       -i     Read the password from stdin without  verification  (for  script
66              usage).
67
68       -c     Create  the  passwdfile.  If  passwdfile  already  exists, it is
69              rewritten and truncated. This option cannot be combined with the
70              -n option.
71
72       -n     Display  the  results  on standard output rather than updating a
73              file. This is useful for generating password records  acceptable
74              to  Apache  for  inclusion  in non-text data stores. This option
75              changes the syntax of the command  line,  since  the  passwdfile
76              argument  (usually  the first one) is omitted. It cannot be com‐
77              bined with the -c option.
78
79       -m     Use MD5 encryption for passwords. This  is  the  default  (since
80              version 2.2.18).
81
82       -2     Use  SHA-256  crypt()  based  hashes for passwords. This is sup‐
83              ported on most Unix platforms.
84
85       -5     Use SHA-512 crypt() based hashes for  passwords.  This  is  sup‐
86              ported on most Unix platforms.
87
88       -B     Use  bcrypt  encryption for passwords. This is currently consid‐
89              ered to be very secure.
90
91       -C     This flag is only allowed in combination with -B (bcrypt encryp‐
92              tion).  It sets the computing time used for the bcrypt algorithm
93              (higher is more secure but slower, default: 5, valid: 4 to 17).
94
95       -r     This flag is only allowed in combination with -2 or -5. It  sets
96              the  number of hash rounds used for the SHA-2 algorithms (higher
97              is more secure but slower; the default is 5,000).
98
99       -d     Use crypt() encryption for passwords. This is not  supported  by
100              the  httpd  server on Windows and Netware. This algorithm limits
101              the password length to 8 characters. This algorithm is  insecure
102              by  today's standards. It used to be the default algorithm until
103              version 2.2.17.
104
105       -s     Use SHA-1 (160-bit) encryption for passwords. Facilitates migra‐
106              tion  from/to  Netscape  servers using the LDAP Directory Inter‐
107              change Format (ldif). This  algorithm  is  insecure  by  today's
108              standards.
109
110       -p     Use  plaintext  passwords. Though htpasswd will support creation
111              on all platforms, the httpd daemon will only accept  plain  text
112              passwords on Windows and Netware.
113
114       -D     Delete  user.  If  the username exists in the specified htpasswd
115              file, it will be deleted.
116
117       -v     Verify password. Verify that  the  given  password  matches  the
118              password  of  the  user  stored  in the specified htpasswd file.
119              Available in 2.4.5 and later.
120
121       passwdfile
122              Name of the file to contain the user name and password. If -c is
123              given,  this  file  is  created if it does not already exist, or
124              rewritten and truncated if it does exist.
125
126       username
127              The username to create or update in passwdfile. If username does
128              not exist in this file, an entry is added. If it does exist, the
129              password is changed.
130
131       password
132              The plaintext password to be encrypted and stored in  the  file.
133              Only used with the -b flag.
134
135

EXIT STATUS

137       htpasswd  returns  a  zero status ("true") if the username and password
138       have been successfully added or updated  in  the  passwdfile.  htpasswd
139       returns 1 if it encounters some problem accessing files, 2 if there was
140       a syntax problem with the command line, 3 if the password  was  entered
141       interactively  and the verification entry didn't match, 4 if its opera‐
142       tion was interrupted, 5 if a value is  too  long  (username,  filename,
143       password, or final computed record), 6 if the username contains illegal
144       characters (see the Restrictions section), and 7 if the file is  not  a
145       valid password file.
146
147

EXAMPLES

149             htpasswd /usr/local/etc/apache/.htpasswd-users jsmith
150
151
152
153       Adds or modifies the password for user jsmith. The user is prompted for
154       the password. The password will be encrypted using the modified  Apache
155       MD5  algorithm.  If  the  file does not exist, htpasswd will do nothing
156       except return an error.
157
158
159             htpasswd -c /home/doe/public_html/.htpasswd jane
160
161
162
163       Creates a new file and stores a record in it for user jane. The user is
164       prompted  for  the  password. If the file exists and cannot be read, or
165       cannot be written, it is not altered and htpasswd will display  a  mes‐
166       sage and return an error status.
167
168
169             htpasswd -db /usr/web/.htpasswd-all jones Pwd4Steve
170
171
172
173       Encrypts  the  password  from  the  command  line (Pwd4Steve) using the
174       crypt() algorithm, and stores it in the specified file.
175
176

SECURITY CONSIDERATIONS

178       Web password files such as those managed  by  htpasswd  should  not  be
179       within the Web server's URI space -- that is, they should not be fetch‐
180       able with a browser.
181
182
183       This program is not safe as a setuid executable. Do not make it setuid.
184
185
186       The use of the -b option is discouraged, since  when  it  is  used  the
187       unencrypted password appears on the command line.
188
189
190       When using the crypt() algorithm, note that only the first 8 characters
191       of the password are used to form the password. If the supplied password
192       is longer, the extra characters will be silently discarded.
193
194
195       The SHA-1 encryption format does not use salting: for a given password,
196       there is only one encrypted representation. The crypt() and MD5 formats
197       permute  the representation by prepending a random salt string, to make
198       dictionary attacks against the passwords more difficult.
199
200
201       The SHA-1 and crypt() formats are insecure by today's standards.
202
203
204       The SHA-2-based crypt() formats (SHA-256 and SHA-512) are supported  on
205       most   modern   Unix   systems,   and   follow   the  specification  at
206       https://www.akkadia.org/drepper/SHA-crypt.txt.
207
208

RESTRICTIONS

210       On the Windows platform, passwords encrypted with htpasswd are  limited
211       to  no  more  than  255  characters in length. Longer passwords will be
212       truncated to 255 characters.
213
214
215       The MD5 algorithm used by htpasswd is specific to the Apache  software;
216       passwords encrypted using it will not be usable with other Web servers.
217
218
219       Usernames are limited to 255 bytes and may not include the character :.
220
221
222       The  cost  of computing a bcrypt password hash value increases with the
223       number of rounds specified by  the  -C  option.  The  apr-util  library
224       enforces a maximum number of rounds of 17 in version 1.6.0 and later.
225
226
227
228
229Apache HTTP Server                2019-08-09                       HTPASSWD(1)
Impressum