Bcrypt Hash Generator - Generate & Verify Bcrypt Hashes Online
Generate bcrypt password hashes with configurable cost factor and verify plaintext against existing bcrypt hashes. 100% client-side, your passwords never leave your browser.
Recommended for production use
Frequently Asked Questions
What is bcrypt and why is it used for password hashing?
Bcrypt is a password hashing function designed by Niels Provos and David Mazieres in 1999, based on the Blowfish cipher. Unlike general-purpose hash functions like SHA-256, bcrypt is specifically designed for password storage. It includes a built-in salt to prevent rainbow table attacks and an adaptive cost factor that can be increased over time to keep up with increasing computational power. This makes bcrypt intentionally slow, which is a feature — it makes brute-force attacks impractical even with modern hardware.
How do I use this bcrypt hash generator?
1. Switch to the Generate tab. 2. Enter your password or text in the input field. 3. Adjust the Cost Factor (Rounds) slider — default is 10, recommended 12+ for production. 4. Click Generate Hash and wait for the computation to complete. 5. Copy the generated 60-character bcrypt hash using the Copy button. 6. To verify a password, switch to the Verify tab, paste the bcrypt hash and enter the plaintext to test.
Is my password safe? Does it get sent to a server?
Your password is 100% safe and never leaves your browser. This tool uses the bcryptjs JavaScript library to perform all bcrypt operations entirely on your device. No password data, plaintext, or generated hashes are ever transmitted to any server, stored in any database, or logged anywhere. You can verify this by disconnecting from the internet — the tool works fully offline after the initial page load.
What cost factor (rounds) should I use?
The cost factor determines how many iterations bcrypt performs (2^rounds). Higher values are more secure but slower. Recommendations: 4-7 for testing and development only, never in production. 8-9 for low-security applications with high throughput needs. 10 is the default value, minimum acceptable for many applications. 12 is the recommended minimum for production use. 14+ for high-security applications where slower hash times are acceptable. OWASP recommends a minimum of 10 rounds, with 12 being the preferred default.
Why does the same password produce different bcrypt hashes each time?
Bcrypt automatically generates a unique 128-bit random salt for each hash operation. This salt is incorporated into the hash and stored as part of the output string. When you hash the same password twice, different salts are used, producing different hash outputs. This is by design — it prevents rainbow table attacks and means that even identical passwords stored in a database will have different hashes. During verification, bcrypt extracts the salt from the stored hash to re-compute and compare.
What is the difference between bcrypt and SHA-256 for password hashing?
SHA-256 is a general-purpose cryptographic hash function designed to be fast, while bcrypt is specifically designed for password hashing and is intentionally slow. SHA-256 can compute billions of hashes per second on modern GPUs, making brute-force attacks feasible. Bcrypt's adjustable cost factor limits attackers to at most a few thousand hashes per second (at rounds=12), making brute-force impractical. Additionally, bcrypt includes automatic salting, while SHA-256 requires manual salt management.
Can I use this tool for production password hashing?
This tool is designed for testing, learning, and development purposes. While the bcryptjs library produces valid, standards-compliant bcrypt hashes, production password hashing should be performed server-side within your application code. Never hash passwords client-side in production — the hash itself becomes the credential if intercepted. Use this tool to generate test hashes, verify existing hashes, learn about bcrypt parameters, and determine appropriate cost factors for your application.
Code Examples
const bcrypt = require('bcryptjs');
// Generate a bcrypt hash
async function hashPassword(password, rounds = 12) {
const salt = await bcrypt.genSalt(rounds);
const hash = await bcrypt.hash(password, salt);
return hash;
}
// Verify a password against a hash
async function verifyPassword(password, hash) {
const isMatch = await bcrypt.compare(password, hash);
return isMatch;
}
// Parse bcrypt hash components
function parseBcryptHash(hash) {
const match = hash.match(/^\$(\w+)\$(\d{2})\$(.{22})(.{31})$/);
if (!match) return null;
return {
version: match[1],
rounds: parseInt(match[2], 10),
salt: match[3],
hash: match[4],
};
}
// Example usage
(async () => {
const password = 'MySecurePassword123!';
const hash = await hashPassword(password, 12);
console.log('Hash:', hash);
const isValid = await verifyPassword(password, hash);
console.log('Valid:', isValid); // true
const parsed = parseBcryptHash(hash);
console.log('Parsed:', parsed);
})();