Bcrypt Hash Generator – Hash & Verify Passwords Online

About This Tool

Bcrypt Hash Generator creates secure, salted bcrypt password hashes with an adjustable cost factor (work factor / rounds). Bcrypt is the recommended password hashing algorithm by OWASP, and is used by default in Django, Laravel, Spring Security, Devise (Rails), and bcryptjs (Node.js). Unlike MD5 or SHA-256, bcrypt deliberately slows down with higher cost factors, making brute-force and GPU attacks computationally infeasible. All hashing runs in your browser — your password is never uploaded.

How to Use

Enter the password you want to hash in the input field.
Select a cost factor (rounds). 10 is the OWASP-recommended minimum; 12 is recommended for new systems.
Click Generate Hash.
Copy the resulting $2b$ bcrypt hash string to store in your database.

How It Works

Bcrypt uses the Blowfish cipher to hash passwords. Each hash includes a version prefix ($2b$), the cost factor (e.g., $10$), a 22-character random salt, and a 31-character hash — total 60 characters. The cost factor doubles hashing time for each increment: cost 10 takes ~100ms, cost 12 takes ~400ms, cost 14 takes ~1.5s. This deliberate slowness makes GPU attacks orders of magnitude harder than fast hashes like MD5 or SHA-256.

FAQ

What cost factor should I use for bcrypt?

OWASP recommends a minimum cost factor of 10. For new systems, use 12 (balances security and ~400ms per hash). Cloud function environments may need lower values to stay within timeout limits.

Why is every bcrypt hash different for the same password?

Bcrypt generates a new random 128-bit salt every time it hashes a password. The salt is embedded in the hash string itself, so bcrypt.compare() can re-derive it during verification.

Can a bcrypt hash be reversed?

No. Bcrypt is a one-way function. Verification works by re-hashing the provided password with the extracted salt and comparing results.

Is my password sent to any server?

No. Hashing runs entirely in your browser using a JavaScript bcrypt implementation. Your password never leaves your device.

What is the difference between bcrypt and Argon2?

Bcrypt is battle-tested (1999) and widely supported. Argon2 (2015 Password Hashing Competition winner) is more memory-hard, making it resistant to ASIC attacks. Both are excellent choices; OWASP recommends Argon2id for new systems, bcrypt as the fallback.

Is this free?

Yes, completely free. No account or sign-up required.

About This Tool

How It Works

FAQ

What cost factor should I use for bcrypt?

OWASP recommends a minimum cost factor of 10. For new systems, use 12 (balances security and ~400ms per hash). Cloud function environments may need lower values to stay within timeout limits.

Why is every bcrypt hash different for the same password?

Bcrypt generates a new random 128-bit salt every time it hashes a password. The salt is embedded in the hash string itself, so bcrypt.compare() can re-derive it during verification.

Can a bcrypt hash be reversed?

No. Bcrypt is a one-way function. Verification works by re-hashing the provided password with the extracted salt and comparing results.

Is my password sent to any server?

No. Hashing runs entirely in your browser using a JavaScript bcrypt implementation. Your password never leaves your device.

What is the difference between bcrypt and Argon2?

Is this free?

Yes, completely free. No account or sign-up required.

About This Tool

How to Use

How It Works

FAQ

What cost factor should I use for bcrypt?

Why is every bcrypt hash different for the same password?

Can a bcrypt hash be reversed?

Is my password sent to any server?

What is the difference between bcrypt and Argon2?

Is this free?

Related Tools

Bcrypt Hash Tool

Example

About This Tool

How to Use

How It Works

FAQ

What cost factor should I use for bcrypt?

Why is every bcrypt hash different for the same password?

Can a bcrypt hash be reversed?

Is my password sent to any server?

What is the difference between bcrypt and Argon2?

Is this free?

Related Tools

Bcrypt Hash Tool

Example