Bcrypt Hash Generator
Generate and verify bcrypt password hashes in your browser. Adjustable cost factor from 4 to 12 rounds, with instant verification mode.
About Bcrypt Hash Generator
Generate bcrypt password hashes with adjustable cost factor or verify a plaintext against an existing hash. Bcrypt is the recommended algorithm for password storage, used by Rails, Django, Spring Security, and most modern web frameworks. All hashing runs in your browser using the bcryptjs library - nothing is sent to a server.
How Bcrypt Works
Bcrypt is based on the Blowfish cipher's key schedule. For each hash, it generates a random 16-byte salt, then runs the expensive key setup 2^cost times to produce a 24-byte hash. The output string contains everything needed to verify the password later.
| Part | Example | Meaning |
|---|---|---|
| Algorithm version | $2b$ | Bcrypt variant (2b is the current standard) |
| Cost factor | $10$ | 2^10 = 1,024 iterations |
| Salt (22 chars) | N9qo8uLOickgx2ZMRZoMye | Random, Base64-encoded 16-byte salt |
| Hash (31 chars) | IjZAgcfl7p92ldGxad68LJZdL17lhWy | The resulting password hash |
A complete bcrypt hash looks like: $2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy. Because the salt is embedded in the output, you never need to store the salt separately.
Cost Factor Guide
| Cost | Iterations | Approximate Time | Recommendation |
|---|---|---|---|
| 4 | 16 | ~1ms | Too fast - only for testing |
| 8 | 256 | ~10ms | Minimum for non-critical apps |
| 10 | 1,024 | ~100-150ms | Standard default for most frameworks |
| 12 | 4,096 | ~400-600ms | High security applications |
| 14 | 16,384 | ~2-3 seconds | Very high security (may be too slow for UX) |
Each increment of the cost factor doubles the computation time. The goal is to make brute-force attacks impractical while keeping login times acceptable for users. OWASP recommends a cost factor that results in at least 250ms per hash.
Why Bcrypt for Passwords?
| Algorithm | Speed | Built-in Salt | Adjustable Work Factor | Suitable for Passwords? |
|---|---|---|---|---|
| MD5 | Extremely fast (~billions/sec on GPU) | No | No | No - trivially crackable |
| SHA-256 | Very fast (~billions/sec on GPU) | No | No | No - too fast for passwords |
| Bcrypt | Intentionally slow (~10K/sec) | Yes | Yes (cost factor) | Yes - industry standard |
| Scrypt | Slow + memory-hard | Yes | Yes (N, r, p) | Yes - resists GPU attacks |
| Argon2 | Slow + memory-hard | Yes | Yes (time, memory, threads) | Yes - Password Hashing Competition winner |
Fast hash functions like SHA-256 are designed for speed - great for file checksums, terrible for passwords. An attacker with a modern GPU can test billions of SHA-256 hashes per second. Bcrypt's intentional slowness limits attacks to thousands per second, making brute-force impractical.
Bcrypt in Different Languages
| Language | Library | Hash Example |
|---|---|---|
| Node.js | bcrypt or bcryptjs | bcrypt.hash(password, 10) |
| Python | bcrypt (pip install bcrypt) | bcrypt.hashpw(password, bcrypt.gensalt(rounds=10)) |
| Ruby (Rails) | bcrypt-ruby (has_secure_password) | BCrypt::Password.create(password, cost: 10) |
| PHP | Built-in password_hash() | password_hash($password, PASSWORD_BCRYPT) |
| Java | Spring Security BCryptPasswordEncoder | new BCryptPasswordEncoder(10).encode(password) |
| Go | golang.org/x/crypto/bcrypt | bcrypt.GenerateFromPassword([]byte(pw), 10) |
Bcrypt Versions
| Version | Prefix | Notes |
|---|---|---|
| Original | $2$ | Original 1999 implementation |
| 2a | $2a$ | Fixed UTF-8 handling issues |
| 2b | $2b$ | Current standard - fixes an unsigned char bug in OpenBSD |
| 2y | $2y$ | PHP-specific fix for 2a, equivalent to 2b |
All versions are compatible for verification - a hash generated with $2a$ can be verified by a $2b$ implementation. Use $2b$ for new hashes.
For fast non-keyed hashing (checksums, fingerprints), the Hash Generator supports SHA-256, SHA-512, and MD5. To check password strength before hashing, the Password Strength Analyzer estimates crack time. All processing runs in your browser - your passwords never leave your machine.
Frequently Asked Questions
What is bcrypt and why is it used for passwords?
Bcrypt is a password hashing algorithm based on the Blowfish cipher. Unlike fast hash functions like SHA-256, bcrypt is intentionally slow and includes a configurable cost factor, making brute-force attacks much harder. It also generates a unique salt for each hash automatically.
What cost factor should I use?
A cost factor of 10 is the most common default, taking roughly 150ms per hash. For higher security, 12 is a good choice but takes about 600ms. Anything below 8 is generally too fast for production password hashing.
Is this tool safe to use for real passwords?
All hashing runs entirely in your browser using the bcryptjs library. No data is sent to any server. However, for production systems you should hash passwords on your server, not in the browser.
Can I reverse a bcrypt hash to get the original password?
No. Bcrypt is a one-way function, meaning you cannot mathematically reverse a hash to recover the original input. The only way to check a password is to hash it with the same salt and compare the results, which is what the Verify mode does.
Related Tools
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/bcrypt-generator/" title="Bcrypt Hash Generator - Free Online Tool">Try Bcrypt Hash Generator on ToolboxKit.io</a>