You've found the file that holds the actual usernames and password hashes for HTTP Basic Auth on Apache.
No actual usernames or hashes were harmed (or leaked) in the making of this repo.
But the URL pattern is very real, and bots love it more than free Wi-Fi.
.htpasswd is a plain text file of username:hashed_password lines, referenced from your Apache config (or a .htaccess directive) via:
AuthUserFile /etc/apache2/htpasswd/.htpasswdIf mod_info is reachable on /server-info, an attacker reads your config and learns exactly where every AuthUserFile lives. If any of those paths happen to sit inside your document root, the next request is a GET for the hash file — and from there it's an offline cracking exercise.
The default hash on many htpasswd builds is MD5-crypt, which falls to a modern GPU in seconds. A leaked .htpasswd is rarely "they got a password" — it's usually "they got all the passwords."
1. Store .htpasswd OUTSIDE the document root. The single most common mistake. Put it somewhere Apache can read but the web server can never serve:
Good: /etc/apache2/htpasswd/.htpasswd
Bad: /var/www/html/.htpasswd
2. Use bcrypt, not the default. Pass -B to htpasswd:
# create the file (use -c only once — it overwrites)
htpasswd -B -c /etc/apache2/htpasswd/.htpasswd alice
# add users later without -c
htpasswd -B /etc/apache2/htpasswd/.htpasswd bob3. Lock down mod_info and mod_status so attackers can't read your config to find AuthUserFile paths in the first place. (See the .htaccess sibling repo for the snippet.)
4. Confirm the default .ht* block is in place. Even with .htpasswd stored outside the document root, defense in depth costs nothing:
<Files ~ "^\.ht">
Require all denied
</Files>5. Set tight file permissions. Readable by the Apache user only:
chown root:www-data /etc/apache2/htpasswd/.htpasswd
chmod 640 /etc/apache2/htpasswd/.htpasswd6. Verify from outside. From a machine that isn't your server:
curl -I https://your-domain.example/.htpasswdA 403 or 404 is the right answer. A 200 OK is a bad afternoon.
.htpasswd is a fine tool for low-stakes gates — staging sites, internal dashboards, "keep the bots out" pages. For anything user-facing or compliance-relevant, reach for a real auth layer (OIDC, SSO, your framework's session system). HTTP Basic Auth sends credentials on every request and has no logout, no rate limit, and no MFA story.
- Apache HTTP Server —
htpasswddocumentation - Apache HTTP Server — Authentication and Authorization HOWTO
- Sibling repo —
.htaccess
Hash your passwords. Hide your hashes. Audit from the outside.