Bcrypt Generator

Generate and verify bcrypt password hashes — the industry standard for secure password storage in PHP, Node.js, and Python.

Verify Password Against Hash

About Bcrypt

Bcrypt is a password hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. It was specifically designed for password hashing with two key properties: it is deliberately slow (adjustable via cost factor) and it automatically incorporates a random salt to prevent rainbow table attacks.

The cost factor (work factor) determines how computationally expensive the hash is — each increment doubles the computation time. Cost 10 takes ~100ms on modern hardware, making brute force attacks impractical. Cost 12 takes ~400ms and is suitable for high-security applications. Cost 14+ (used by some financial systems) takes seconds per hash.

Bcrypt output format: $2y$COST$SALTHASHVALUE — the $2y$ prefix identifies the algorithm variant, followed by the cost factor, then a 22-character salt and 31-character hash (both Base64-encoded).

FAQ

Why does bcrypt produce a different hash each time for the same password?
Bcrypt automatically generates a random 128-bit salt for each hash. The salt is stored as part of the hash output, so verification does not need to store the salt separately. The salt prevents precomputed rainbow table attacks.
What cost factor should I use in production?
OWASP recommends a cost factor that makes hashing take at least 1 second on your production hardware. Start at cost 12 for most applications. Test on your actual server hardware and adjust so hash generation takes 100ms–1000ms per operation.

Related Tools

Password Hash GeneratorSecurity ToolsSHA256 GeneratorSecurity ToolsPassword GeneratorSecurity ToolsHash CheckerSecurity ToolsPassword Strength CheckerSecurity Tools