BCrypt Generator
Generate and verify bcrypt hashes entirely in your browser. Choose cost factor 4–12.
How to use
- 1 Go to the Generate tab and type the password you want to hash.
- 2 Select a cost factor using the slider — 10–12 is typical for production; higher values increase brute-force resistance but take longer to compute.
- 3 Click "Generate Hash" — the bcrypt hash is computed in your browser and the execution time is shown once complete.
- 4 Click "Copy" to copy the hash and store it in your database. Never store plain-text passwords.
- 5 Switch to the Verify tab to confirm a password matches a stored hash — paste the hash, enter the password, and click "Verify" for an instant yes/no result.
Key features
- Adjustable cost factor (4–12) — higher values exponentially increase the time needed to crack each password
- Built-in Verify tab to check passwords against stored hashes without additional tooling
- Industry-standard algorithm used by Laravel, Django, Rails, Spring Security, and most modern frameworks
- 100% client-side — your passwords never leave your browser; no data sent to any server
- Timing display shows how long each hash took, helping you choose the optimal cost factor
What is bcrypt?
Bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. Unlike cryptographic hash functions (SHA-256, MD5), bcrypt is deliberately slow — its cost factor makes it exponentially harder for attackers to brute-force passwords, even with specialised hardware.
Each bcrypt hash includes a built-in 128-bit salt, which means identical passwords produce completely different hashes — preventing rainbow-table and pre-computation attacks. The output format is $2b$10$... where 10 is the cost factor and the remaining characters encode the salt and the hashed output.
Bcrypt is the de facto standard for password storage in most modern web frameworks and is recommended by OWASP, NIST, and most security guidelines.
Common Use Cases
User password storage
Hash user passwords before storing them in your database. Bcrypt ensures that even if the database is leaked, the original passwords remain protected.
Database credentials
Store admin or service account passwords as bcrypt hashes in configuration files or secret managers.
API token verification
Hash API secrets and tokens with bcrypt so they can be verified without storing them in plain text.
Compliance (OWASP, NIST)
Bcrypt is explicitly recommended by OWASP and NIST SP 800-63B for secure password storage in production systems.
Login flow testing
Use the Verify tab to confirm that a test or production password matches its stored bcrypt hash during development.
Legacy migration
Rehash existing passwords from weaker algorithms (MD5, SHA-1) into bcrypt as users log in — a technique called "upgrading hashes on login".
Cost Factor Reference
Higher cost factors make each hash exponentially slower to compute — and to crack.
| Cost | Work factor (2cost) | Approx. time (desktop) | Recommendation |
|---|---|---|---|
| 4 | 16 rounds | ~1 ms | Too fast — only for testing |
| 8 | 256 rounds | ~10 ms | Minimum for legacy apps |
| 10 | 1,024 rounds | ~50 ms | Recommended baseline |
| 12 | 4,096 rounds | ~200 ms | Recommended for new apps |
| 14 | 16,384 rounds | ~800 ms | High-security environments |
Bcrypt vs. SHA — Why Speed Matters
A GPU can compute billions of SHA-256 hashes per second, making it trivial to brute-force passwords hashed with SHA-2. Bcrypt's adaptive cost factor closes this gap by making each hash thousands of times slower to compute — both for you and for attackers.
| Algorithm | Built-in salt? | Adaptive cost? | Good for passwords? |
|---|---|---|---|
| Bcrypt | Yes (128-bit) | Yes | Yes |
| Argon2 | Yes | Yes (memory + time) | Yes (preferred over bcrypt) |
| SHA-256 | No | No | No — too fast, no salt |
| MD5 | No | No | No — broken + too fast |