Bcrypt Generator & Verifier

Generate bcrypt password hashes with configurable cost factor, or verify a password against an existing bcrypt hash. Free, secure, and open.

Enter a password and click Generate to create a bcrypt hash

Password to Hash

Cost Factor: 12 (4,096 rounds)

4 (fast) 10 (standard) 17 (very slow)

Recommended: 10–12 for most applications. Each +1 doubles computation time.

What is Bcrypt?

Bcrypt is a password hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. Unlike fast hash functions like MD5 or SHA256, bcrypt is intentionally slow — making brute-force attacks computationally expensive and impractical.

Bcrypt automatically generates and incorporates a random salt, preventing rainbow table attacks. Its adaptive cost factor allows you to increase the work required as hardware gets faster, keeping your password storage secure over time.

Bcrypt Hash Structure

A bcrypt hash is always 60 characters long and follows this format:

$2b$12$WApznUPhDubN0oeveSKhkusBN8.9R5mUW3iAZQvMwJYbTwvBkFe

$2b$

Algorithm identifier. $2b$ is the current standard. $2a$ and $2y$ are older variants.

12$

Cost factor (log2 of iterations). Cost 12 = 2¹² = 4,096 rounds of the key expansion.

Salt (22 chars)

128-bit random salt encoded in a custom base64 alphabet. Automatically generated — unique per hash.

Hash (31 chars)

184-bit hash result encoded in the same base64 alphabet. Derived from the password, salt, and cost factor.

Choosing the Right Cost Factor

The cost factor controls how many rounds of key expansion bcrypt performs. Each increment doubles the computation time:

Cost	Rounds	Approx. Time	Use Case
4	16	~1ms	Testing only
10	1,024	~65ms	Standard web apps
12	4,096	~250ms	Recommended default
14	16,384	~1s	High-security apps
17	131,072	~8s	Maximum security

Rule of thumb: Choose the highest cost factor that keeps hash generation under 250–500ms on your production hardware. Re-evaluate annually as CPUs get faster.

Bcrypt vs Other Hashing Algorithms

Feature	Bcrypt	MD5/SHA	Argon2
Purpose	Password hashing	General hashing	Password hashing
Built-in salt	✓ Yes	✗ No	✓ Yes
Adaptive cost	✓ CPU time	✗ No	✓ CPU + memory
Brute-force resistant	✓ Very	✗ Weak	✓ Very
Industry adoption	Very high	Legacy only	Growing

Security Best Practices

Never store passwords in plain text. Always hash with bcrypt or a similar adaptive function.
Don't use MD5 or SHA for passwords. They're too fast — attackers can try billions of guesses per second.
Don't invent your own salt logic. Bcrypt generates and embeds a cryptographically random salt automatically.
Increase cost factor over time. As hardware improves, bump up the cost factor and rehash on next login.
72-byte limit. Bcrypt only processes the first 72 bytes of input. For longer passwords, pre-hash with SHA256 first.
Use constant-time comparison. When verifying, always use password_verify() (PHP) or equivalent — never compare hash strings directly.

Frequently Asked Questions

What is bcrypt?

Bcrypt is an adaptive password hashing function designed by Niels Provos and David Mazières in 1999. Based on the Blowfish cipher, it incorporates a random salt and configurable cost factor to make brute-force attacks computationally impractical. It is the de facto standard for password storage in web applications.

What cost factor should I use?

For most web applications, a cost factor of 10-12 is recommended. This provides a good balance between security and performance, typically taking 100-250ms per hash. For high-security applications, use 13-14. For testing, 4-6 is sufficient. The key metric is that hashing should take at least 100ms on your production hardware.

Why is bcrypt better than MD5 or SHA256 for passwords?

MD5 and SHA256 are designed to be fast — an attacker with a GPU can compute billions of MD5 hashes per second. Bcrypt is intentionally slow (configurable via cost factor), includes a built-in random salt (preventing rainbow table attacks), and can be made slower over time as hardware improves. This combination makes it orders of magnitude more resistant to brute-force attacks.

What is the 72-byte limit in bcrypt?

Bcrypt only processes the first 72 bytes of the input password. Any characters beyond that are silently ignored. For most passwords this is not an issue, but if you need to support very long passwords or passphrases, you can pre-hash the input with SHA-256 before passing it to bcrypt.

What do $2a$, $2b$, and $2y$ mean?

$2a$ is the original bcrypt specification. $2b$ is the updated specification that fixes a bug in the original. $2y$ is PHP-specific and equivalent to $2b$. For new applications, $2b$ (or $2y$ in PHP) is recommended. All three variants are compatible for verification purposes.

Can bcrypt hashes be reversed?

No. Bcrypt is a one-way function — there is no mathematical way to recover the original password from a bcrypt hash. The only way to "crack" a bcrypt hash is to try every possible password (brute force), which the cost factor makes extremely time-consuming.

Is my password stored when I use this tool?

Your password is sent to the server only for hashing (bcrypt requires server-side computation) and is immediately discarded after generating the hash. We do not log, store, or retain any passwords or hashes.