Limit access by requiring a password

Last revision November 8, 2017

Access Control Table of Contents:
  1. Introduction
  2. By SUNet ID
  3. By Computer
  4. By Local Password
  5. By Computer and Password
  6. By Computer or Password

If you want to limit access to only specific people at Stanford who all have SUNet IDs, then do not use the method on this page. Instead, follow the instructions on the limit access by SUNet ID page. That is easier and more secure than creating local usernames and passwords just for your web site. However, if you need to give access to non-Stanford people, then follow the instructions on this page.

To limit access to specific people, you can make personal "web accounts" for them that have a user name and password. You create these user names and passwords and they apply only to your restricted web pages. When anyone tries to look at these restricted pages, the web browser will ask him for a user name and password, which must match one of the accounts you will create.

These web accounts are not very secure. The passwords are stored in an encrypted form, but they are often sent over the network by the browser in plain text. So do not use your SUNet ID password or any other important password when making a web account. Unlike most passwords, it is acceptable to allow a group of people to share a single web account user name and password, as they are only used for this one specific purpose.

Make web account usernames and encrypted passwords

Start by creating a file with the usernames and encrypted passwords of the web accounts you make to restrict access to your folder. You can call this file any name you want, and even put it in any folder accessible to the web server, but the conventional name is .htpasswd and the conventional location is to put it inside the folder to be protected! We will follow those conventions in these directions.

The .htpasswd file must created as a plain text file, just like the .htaccess file, as described on the introductory page for this section.

There are numerous websites that will properly encrypt passwords for you to put in this file. This one (found by a Google search on "htpasswd generator") uses the MD5 encryption method which works for all versions of the Apache server, not just the version installed on pangea:

On this website, you enter the username and password for each web account you are creating. It generates the line with the encrypted password that you add to your .htpasswd file.

You can also generate the entries for the .htpasswd file using the htpasswd command-line program found on Mac OS X (from a Terminal shell window) and many Linux distributions.

Later, if you want to remove a web account (and thus cut off access), simply edit your .htpasswd file and delete the line containing the username and encrypted password for that account.

Setup the .htaccess file

After you have made the .htpasswd file containing the web accounts, make a .htaccess file in the folder to be protected that contains the lines shown here, but substituting values that are appropriate to your case wherever you see italicized keywords, as explained below.

AuthUserFile completepathtohtpasswdfile
AuthName authorizationgroup
AuthType Basic
Require valid-user

Two directives need to be customized for your folder: AuthUserFile and AuthName


The AuthUserFile directive specifies the location of your .htpasswd file containing the web account user names and passwords. You must specify the complete Unix folder path to get to this file, as seen by the pangea web server. These instructions assume that you are using the file name .htpasswd and have put the file in the same folder that will be protected by the .htaccess file.

If you are creating a .htpasswd file in one of the department or group web folders served by pangea, the complete Unix folder path will start with /WWW/ followed by the pathname components in the web URL. For example, the URL

translates to the complete Unix folder path on pangea of


which results in an AuthUserFile directive of

AuthUserFile /WWW/research/crg/.htpasswd

If you are creating a .htpasswd file in a folder in your personal web space, you cannot use the ~sunetid shortcut. Instead, the folder path starts with /homedirs/sunetid/WWW/ (substituting your SUNet ID name for sunetid), followed by the pathname components in the URL after the ~sunetid/ part. For example, the personal web site folder with the URL

translates to the complete Unix folder path on pangea of


which results in an AuthUserFile directive of

AuthUserFile /homedirs/farrell/WWW/outage/.htpasswd


The AuthName directive gives a short reference name that stands for this group of restricted files. This name is used by web browsers to keep track of which usernames and passwords apply to which files. You can use any name you like, but it is helpful if it is somewhat descriptive. Your reference name in the AuthName directive should be a single word. If you use more than one word, enclose the phrase in quote marks (").

For example, I could use myfriends as the reference name for a folder that I want to share only with my friends, for whom I will create personal web accounts in my .htpasswd file. My .htaccess file will have the line

AuthName myfriends

Example .htpasswd and .htaccess files

Here is a complete example of the .htaccess and .htpasswd files used to protect a folder on a personal web site on pangea.

The folder to be protected is named testprotect in the personal web site on pangea for the user with SUNet ID farrell.

There will be one web account to control access to this folder, with the username "guest" and the password "testit". Entering those values on the Htpasswd Generator website yielded this line:


I then create the file .htpasswd in this testprotect folder containing the single line above defining the guest account.

I then create the file .htaccess in this testprotect folder with these lines:

AuthUserFile /homedirs/farrell/WWW/testprotect/.htpasswd
AuthName testgroup
AuthType Basic
Require valid-user

Comments or Questions?