Apache htpasswd Hashed Credential

Name: Apache htpasswd Hashed Credential
Creator: TestPattern Community
License: https://opensource.org/licenses/MIT

Detects Apache htpasswd file entries containing hashed passwords in MD5 ($apr1$), bcrypt ($2y$, $2b$, $2a$), or SHA ({SHA}) formats. Mirrors Snaffler rule KeepConfigByName.

Type: regex
Engine: boost_regex
Confidence: high
Confidence justification: High confidence: the combination of a username and a well-known password hash format marker ($apr1$, $2y$, $2b$, $2a$, {SHA}) is highly specific to htpasswd files. These hash prefixes are not found in other common file formats.
Jurisdictions: global
Regulations: Criminal Code Act 1995 (Cth)
Frameworks: CIS Controls, ISO 27001, NIST CSF
Data categories: credentials
Scope: specific
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported

Pattern

[A-Za-z0-9_.-]{1,64}:(?:\$apr1\$|\$1\$|\$5\$|\$6\$|\$2[aby]\$|\{SHA\})[^\s:]{1,255}

Corroborative evidence keywords

htpasswd, AuthUserFile, AuthType Basic, Require valid-user

Proximity: 300 characters

Should match

admin:$apr1$xyz123$dGhpc2lzYWhhc2g. — MD5 apr1 htpasswd hash
deploy:$2y$10$abcdefghijklmnopqrstuuWOOj3U5X5bF5lrfH2jk8VeQ0k.YIVUC — Bcrypt $2y$ htpasswd hash
webuser:$2b$12$ABCDEFGHIJKLMNOPQRSTUUabcdefghijklmnopqrstuvwxyz01234 — Bcrypt $2b$ variant htpasswd hash
deploy:$6$rounds=5000$saltsalt$abcdefghijklmnopqrstuvwxyz0123456789ABCDEF — SHA-512 crypt ($6$) htpasswd hash (Snaffler parity)

Should not match

admin:plaintextpassword — No hash marker prefix, plaintext password
user:secret123 — Plaintext password, no hash format

Known false positives

Documentation or code examples showing htpasswd format with placeholder hashes. Mitigation: Require proximity to Apache configuration directives (AuthUserFile, AuthType Basic) to confirm htpasswd context.
Other systems that coincidentally use similar username:hash colon-separated format with the same hash prefixes. Mitigation: The specific hash marker prefixes ($apr1$, $2y$, $2b$, $2a$, {SHA}) are sufficiently distinctive to minimise false positives from non-htpasswd sources.

Collections

Snaffler Parity — Credential & Secret Files