htpasswd generator - password encryption

march 05, 2015

This web app contains a JavaScript port of Apache server's htpasswd utility. In order to ensure total privacy, no server-side computing is involved, your data stays in your browser. This app is totally client-side, I even encourage you to use it offline.

1. Users and passwords

One user per line, with or without a password :

Generate characters long passwords

Totally random letters, digits (7 bits)
letters, digits, punctuation and spaces (7 bits)
no similar characters

Pronounceable (lowercase) - make it longer english style
french style
german style
japanese style
passphrase with spaces

2. Generated htpasswd file

Hashing algorithm :
bcrypt
Cost
MD5 (APR)
crypt()
salted SHA-1
SHA-1
Plain (Nginx)
Plain (Apache)

The crypt() algorithm truncates all passwords to 8 characters max.

Your data contains non-ascii characters. The password file will have to be saved in ISO-8859-1 for Firefox and Chrome, or UTF-8 for Opera. If you want to ensure browser compatibility, use only ASCII.

Your data contains unicode characters. only Opera can handle unicode authentication, if your password file is saved in UTF-8.

In your browser, the cryptographic random number generator is

Hashing algorithms

bcrypt $2y$ or $2a$ prefix: This algorithm is currently considered to be very secure. Bcrypt hashes are very slow to compute (which is one one the reasons why they are secure). The cost parameter sets the computing time used (higher is more secure but slower, default: 5, valid: 4 to 31).
Warning : think carefully before you try values above 10, this thing is really slow. You could freeze your computer.
Compatibility : Apache since version 2.4 (needs apr-util 1.5+)
md5 (APR) $apr1$ prefix: Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random salt and the password. This is the default (since Apache version 2.2.18).
Compatibility : all Apache versions, Nginx 1.0.3+.
crypt(), also known as crypt(3) no prefix: It used to be the default algorithm until Apache version 2.2.17. It limits the password length to 8 characters. Considered insecure.
Compatibility : all Apache and Nginx versions, Unix only. Plain ASCII characters only.
salted sha-1 {SSHA} prefix: Considered insecure. The use of salt makes it more time-consuming to crack a list of passwords. However, it does not make dictionary attacks harder when cracking a single password.
Compatibility : Nginx 1.0.3+ only.
sha-1 {SHA} prefix: Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif). This algorithm is insecure by today's standards.
Compatibility : all Apache versions, Nginx 1.3.13+.
Plaintext (no hashing) no prefix for Apache, {PLAIN} for Nginx: Use plaintext passwords. Insecure.
Compatibility : all Windows and Netware Apache versions, Nginx 1.0.3+.

Setting up your server

• The directory in which you place your password file must not be accessible from the web, or your users could download it.
• Use an https connection if you can, to avoid transferring credentials in plain text.

Apache .htaccess file

AuthUserFile /path/to/htpasswd
AuthName "Authorized personnel only."
AuthType Basic
Require valid-user

Nginx configuration

location  /  {
  auth_basic  "Authorized personnel only.";
  auth_basic_user_file  /path/to/htpasswd;
}

Acknowledgement

A few third-party scripts allowed me to make this web application 100% client-side javascript. That's why offline use is possible and your data is not transmitted anywhere.
• javascript ports of standard md5 and sha1 algorithms by Paul Johnston.
• a modified version of Jeff Walden's javascript port of the unix crypt(3) function.
• zxcvbn for the password strength test.
• a modified version of Tom Van Vleck's pronouceable password generator.

This application also uses twin-bcrypt, my super-fast asm.js implementation of the bcrypt algorithm.