Click hash to copy · Each generation produces a unique salt
Generating hash… ⟳
Bcrypt Password Checker
Free online bcrypt hash generator and verifier. Hash a password with bcrypt (cost factor 4–14) and verify whether a plain-text password matches a bcrypt hash. Uses bcryptjs — 100% client-side, nothing is sent to any server.
FreeNo login100% browser-basedNo data sent to servers
Bcrypt is a password hashing function designed in 1999 by Niels Provos and David Mazières, intentionally slow to resist brute-force attacks. Unlike SHA-256, which hashes millions of values per second, bcrypt's work factor (cost parameter) makes it computationally expensive — increasing the cost by 1 doubles the computation time. It also incorporates a random salt, so the same password always produces a different hash.
This tool hashes passwords and verifies bcrypt hashes entirely in your browser using the bcryptjs library. The default cost factor is 12 (industry standard for user passwords in 2024). Never send plaintext passwords to a third-party website — this tool processes everything locally.
What is bcrypt?
Bcrypt is a password hashing function designed by Niels Provos and David Mazières in 1999. Unlike SHA-256 or MD5, bcrypt is deliberately slow and includes a cost factor (work factor) that controls how many iterations are performed. This makes brute-force attacks computationally expensive. Bcrypt is the recommended way to store passwords in databases.
What cost factor should I use?
Cost factor 10–12 is the most common choice for production systems. At cost 10, bcrypt takes ~100ms on a modern server — fast enough for login but slow enough to deter brute-force. Higher cost = more secure but slower. OWASP recommends at least cost 10. This tool defaults to cost 10.
Why does bcrypt produce a different hash each time?
Bcrypt uses a random 22-character salt that gets embedded in the hash output. This is intentional — it means even the same password hashed twice produces different outputs. When verifying, bcrypt extracts the salt from the stored hash and uses it to re-hash the input for comparison. You never store the salt separately.
What is the cost factor (work factor) in bcrypt?
The cost factor (also called rounds or work factor) controls how slow the hashing is. Cost 10 = 2^10 = 1,024 iterations. Cost 12 = 4,096 iterations. Higher cost = more secure but slower. OWASP recommends cost 10 as a minimum; cost 12 is reasonable for 2024 hardware. Increase it as hardware gets faster. The cost is stored in the hash itself (e.g. $2b$12$ means cost 12).
Why should I use bcrypt instead of SHA for passwords?
SHA is designed to be fast — a modern GPU can compute billions of SHA-256 hashes per second, making brute-force attacks trivial. Bcrypt is intentionally slow (designed by Niels Provos and David Mazières in 1999 specifically for passwords). It also automatically salts each hash, preventing rainbow table attacks. Always use bcrypt, scrypt, or Argon2 for password storage.
How does bcrypt salting work?
Bcrypt automatically generates a unique random 128-bit salt for every hash, stored as part of the hash string itself. This means two identical passwords produce completely different hashes. You never need to manage salts separately — bcrypt handles this internally. The full hash output ($2b$12$...) includes the version, cost factor, salt, and hash all in one string.
What does a bcrypt hash look like and how do I read it?
Example: $2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj1QAFDBkXmm. Breaking it down: $2b = bcrypt version. $12 = cost factor (2^12 iterations). The next 22 characters are the base-64 encoded salt. The remaining 31 characters are the hash. Total length is always 60 characters for bcrypt.