Password protection using .htaccess and .htpasswd

• 2 min read
A drawing of a cartoon man pointing upwards

Heads up! This post was written in 2007, so it may contain information that is no longer accurate. I keep posts like this around for historical purposes and to prevent link rot, so please keep this in mind as you're reading.

— Cory

The simplest way I know to password protect files and directories using Apache's .htaccess and .htpasswd files.

.htpasswd #

Create a text file with the following text:

username:password

The usernames and passwords are stored in this file, one per line, separated by a colon. To allow multiple users:

firstUser:password
secondUser:password
thirdUser:password
...

Now, for each password, you have to encrypt it using the htpasswd program (included with Apache). If you don't have this program, you should be able to find a tool on the web that can do it. If you have Apache installed on your local system, I strongly recommend using it (You can also generate the entire file with this program, saving you the hassle of creating it in a text editor. Visit Apache's website to learn how).

Windows users #

  1. Open a command prompt (Start | Run | command.com)
  2. type htpasswd -nb username password, replacing username and password with the appropriate values

If you get an error message, you'll have to navigate to the directory containing htpasswd.exe (usually Apache[version]bin). If you're not sure where it is, do a search on your system to find it. Once you're in the right directory, try the command again.

Linux users #

  1. Open a terminal
  2. type htpasswd -nb username password, replacing username and password with the appropriate values

The program will output something like: username:password. Copy this into your .htpasswd file and save it as .htpasswd (windows users will have to save it as htpasswd.txt and rename it to .htpasswd after uploading).

.htaccess #

Now you're ready to write your .htaccess file. This will let Apache know that you want it to use your .htpasswd file for authentication. You can protect one or more directories and/or files this way. To create your .htaccess file, create a new text file:

Protecting an entire directory #

AuthUserFile /[path]/.htpasswd
AuthType Basic
AuthName "Login to access this folder"
require valid-user

Protecting a single file #

AuthUserFile /[path]/.htpasswd
AuthType Basic
AuthName "Login to access this file"
Allow From All
require valid-user

AuthUserFile is the server location of the .htpasswd file you have just created. You will need to adjust the path according to your directory structure so that it points to the correct location. THIS IS VERY IMPORTANT!

Save it as .htaccess (windows users will have to save it as htaccess.txt and rename it to .htaccess after uploading).

Uploading #

Upload both of the files to the appropriate directories on your webserver. Open a browser and navigate to the respective URL. You should get a login dialog that prompts you for a username and password.

Troubleshooting #

If the authentication doesn't work, I would suggest:

  1. Checking the path you set after AuthUserFilein .htaccess
  2. Verifying that AllowOverride Noneis not present in the section of your Apache config file (usually called httpd.conf) that corresponds to the correct host. In some cases, you may have to specify AllowOverride All before it will work (even though this is default setting).
  3. If you used a web-based password encryptor instead of the htpasswd program, try another one. I found that many would return encrypted strings that Apache could not authenticate for some reason.

Good luck!

apache development