← All tools
// Security

Bcrypt Generator online

Generate bcrypt hashes and verify passwords — browser-side

Bcrypt Hash Generator / Verifier logo
by
CHUNKY
MUNSTER
⚠ Your password is never sent anywhere. All hashing runs in your browser using WebAssembly bcrypt.
// Hash a password
(higher = slower = more secure)
// Verify a password

How to Use bcrypt

  1. Type your plaintext password into the input field.
  2. Choose a cost factor (work factor) — 10 to 12 is the current recommendation.
  3. Click Hash to generate a new bcrypt hash with a random salt.
  4. Use the Verify section: enter the plaintext and an existing hash to confirm they match.

Bcrypt is a password-hashing function designed to be intentionally slow — its cost factor increases the computation time exponentially, making brute-force attacks expensive even with modern GPUs. Never store plain passwords or use fast hashes like MD5 or SHA-256 for password storage. Use bcrypt, Argon2, or scrypt instead. All hashing runs locally in this browser — no passwords are ever transmitted.

Understanding the Bcrypt Cost Factor

The cost factor (also called work factor or rounds) is the base-2 logarithm of the number of iterations. Cost 10 means 2¹⁰ = 1,024 iterations; cost 12 means 2¹² = 4,096. Doubling the cost factor doubles the time to hash a password — and doubles the time for an attacker to crack each guess. OWASP currently recommends cost 10–12 on most hardware, targeting around 1 second per hash on your production server.

Frequently Asked Questions

Why is the same password hashed differently each time?

Bcrypt generates a new random 128-bit salt for every hash. The salt is embedded in the output string, so verification knows which salt to use. Two hashes of the same password are always different — this defeats rainbow table attacks.

What does a bcrypt hash look like?

A bcrypt hash looks like $2b$12$xyz.... $2b$ is the version identifier, 12 is the cost factor, the next 22 characters are the salt, and the remaining 31 characters are the hash.

What is the maximum password length for bcrypt?

Bcrypt processes only the first 72 bytes of the password. Passwords longer than 72 bytes are silently truncated. If you need to support very long passwords, pre-hash with SHA-256 before bcrypt (carefully, as this has trade-offs).

Is bcrypt still recommended, or should I use Argon2?

Both are good choices. Argon2 (the PHC winner in 2015) allows tuning memory usage in addition to time, making it more resistant to GPU attacks. For most web applications, bcrypt at cost 12 remains a solid and widely supported choice.

See also the Bcrypt & Scrypt tool for scrypt, and the All Hashes generator for non-password hashing needs.