Your hash will appear here after clicking Generate.
Click to copy
Bcrypt hashes passwords slowly by design. Each cost factor increment doubles computation time, making brute-force attacks expensive regardless of hardware speed.
| Cost | Approx. time | Use case |
|---|---|---|
4–6 |
<1ms | Development / testing |
10–12 |
~100ms | Production (recommended) |
13+ |
1s+ | High-security systems |
Bcrypt runs in your browser. No passwords reach any server.
Bcrypt Hash Generator & Verifier
What is bcrypt?
Bcrypt hashes passwords slowly by design. MD5 and SHA-256 execute in microseconds; bcrypt's cost factor scales computation time as hardware improves. The output stores the algorithm version, cost factor, and a random salt, so each hash of the same password looks different but still verifies correctly. Bcrypt defeats brute-force attacks and rainbow-table lookups.
How to use
- Pick Generate or Verify mode in the toolbar.
- Generate: enter your password, adjust the cost factor (10 is the default), click Generate Hash.
- Verify: enter the original password and the stored bcrypt hash, click Verify to confirm they match.
- Copy the generated hash and store it in your database. Never store the raw password.
Frequently Asked Questions
Is it safe to use this tool with real passwords?
Yes. Bcrypt runs in your browser using JavaScript. Your password and hash never leave your device. Open DevTools and check the Network tab to confirm.
What cost factor should I use in production?
Use 10–12. At cost 10, hashing takes about 100ms on modern hardware: fast for users, slow for attackers. Raise it as hardware improves.
Why does the same password produce a different hash each time?
Bcrypt generates a random salt for each hash and stores it in the output string. Two hashes of the same password look different because each has a different salt. To verify, bcrypt extracts the salt from the stored hash and reapplies it.
Can I verify a hash generated by another bcrypt tool?
Yes. Bcrypt is a standardized format. Hashes starting with $2a$, $2b$, or $2y$ are all compatible. You can paste a hash from Node.js, Python, PHP, or any other bcrypt library and verify it without conversion.
Why does bcrypt take several seconds at high cost factors?
The slowness is the security mechanism. A cost-14 hash that takes 1 second on your machine forces an attacker to spend 1 second per guess. A trillion-guess attack takes thousands of years.