Security
Bcrypt
The Bcrypt tool hashes passwords using the bcrypt adaptive hashing function and verifies whether a plain-text password matches a given bcrypt hash. Bcrypt is the industry standard for storing user passwords securely in databases. All computation runs in your browser using WebAssembly – passwords are never sent to any server.
What is bcrypt?
Bcrypt is a password hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. Unlike general-purpose cryptographic hash functions (MD5, SHA-256), bcrypt is intentionally slow and computationally expensive, making brute-force and dictionary attacks impractical. It includes a cost factor (work factor) that controls how many iterations the hashing algorithm performs – doubling the cost factor doubles the computation time. Bcrypt also automatically generates a random 128-bit salt for each password, preventing rainbow table attacks. The output is a 60-character string that encodes the algorithm version, cost factor, salt, and hash together.
How does the tool work?
In hash mode, the tool generates a cryptographically secure random 16-byte salt using the browser's crypto.getRandomValues() API. It then runs the bcrypt key derivation with the selected cost factor (4–31, default 12) using a WebAssembly implementation of bcrypt. The output is a 60-character string in the standard bcrypt format: $2b$[cost]$[22 chars salt][31 chars hash]. In verify mode, the tool extracts the salt and cost factor from the provided hash string and re-hashes the input password, then compares the result to the stored hash using a constant-time comparison.
Typical Use Cases
- Hashing a password before storing it in a database during development and testing
- Verifying that a plain-text password matches a stored bcrypt hash for debugging
- Choosing an appropriate cost factor by benchmarking hashing time on target hardware
- Learning how bcrypt output format encodes version, cost, salt, and hash
Step-by-step Guide
- Step 1: Enter the password you want to hash in the input field.
- Step 2: Select the cost factor (12 is a common production default; higher = slower and more secure).
- Step 3: Click 'Hash' and wait for the bcrypt hash to be computed.
- Step 4: To verify, switch to the verify tab, enter the plain-text password and the hash.
Example
Input
Password: mySecretPass | Cost: 12
Output
$2b$12$eImiTXuWVxfM37uY4JANjQ.8Y.x/VQ.K8jxOlQ1F5U0RB6u5KfXkC
Tips & Notes
- A cost factor of 12 is a good default for 2024 – it produces a hash in roughly 250–500 ms on a modern server, fast enough for login but slow enough to deter attackers.
- Increase the cost factor over time as hardware gets faster – bcrypt is designed to be upgraded without invalidating existing hashes (re-hash on next login).
- bcrypt truncates passwords at 72 bytes – passwords longer than 72 bytes produce the same hash as the first 72 bytes. Pre-hash with SHA-256 if you need to support longer passwords.
Frequently Asked Questions
What is the difference between bcrypt and SHA-256?
SHA-256 is a fast general-purpose cryptographic hash. Fast hashing is good for data integrity but bad for passwords because attackers can test billions of candidates per second. Bcrypt is designed to be slow and includes a cost factor you can increase over time, making brute-force attacks impractical.
Why does bcrypt include the salt in the output?
The salt is stored in the hash string so that the verification function can re-derive the same hash from the plain-text password. Each hash has its own unique salt, so two identical passwords produce different hashes.
Should I use bcrypt, scrypt, or Argon2?
All three are strong choices. Argon2 (winner of the 2015 Password Hashing Competition) is generally the modern recommendation as it is memory-hard, making GPU attacks more expensive. bcrypt remains widely supported and is a safe choice. scrypt is also memory-hard but less commonly implemented. Avoid MD5, SHA-1, and SHA-256 for password hashing.
Bcrypt
Securely hash and verify passwords and strings using bcrypt (Blowfish-based). Configurable cost factor for optimal security.
Open Tool