Scrypt Hash Generator & Verifier

Memory-hard password hashing with configurable CPU and memory cost parameters. More resistant to GPU attacks than bcrypt.

Enter a password and click Generate to create a scrypt hash

Password

Preset

Interactive: fast, low memory (~16 MB). Sensitive: slower, more memory (~128 MB).

Other Hash Algorithms

MD5 SHA-1 SHA-256 SHA-512 SHA3-256 SHA3-512 BLAKE2b Scrypt Bcrypt Argon2

What is Scrypt?

Scrypt is a password-based key derivation function designed by Colin Percival in 2009. It is specifically engineered to be memory-hard, making it extremely expensive to perform large-scale brute-force attacks using ASICs, GPUs, or FPGAs.

Unlike bcrypt which is only CPU-hard, scrypt requires large amounts of RAM proportional to its cost parameter. This means attackers cannot simply throw more processing cores at the problem — they also need proportionally more memory, which is expensive in parallel hardware.

How Scrypt Works

Scrypt works in three phases: (1) uses PBKDF2-HMAC-SHA256 to generate an initial key, (2) fills a large memory array using the ROMix algorithm with Salsa20/8 core, then (3) performs memory-dependent lookups that force sequential access to the array. The memory requirement is approximately 128 × N × r bytes.

Type

Password KDF

Year

2009

Status

✓ Secure

Common Use Cases

Password hashing and storage
Litecoin and cryptocurrency mining
Key derivation for encryption
Tarsnap online backup service
Django password storage backend
libsodium password hashing

Security Considerations

Scrypt's memory-hardness makes it significantly more resistant to hardware-based attacks than bcrypt or PBKDF2. However, Argon2 (the Password Hashing Competition winner) improves upon scrypt by offering better resistance to time-memory trade-off attacks and GPU parallelism. For new projects, consider Argon2 as the first choice, with scrypt as a strong alternative.

Scrypt vs Other Password Hashing Functions

Feature	Scrypt	Bcrypt	Argon2
Memory-hard	✓ Yes	✗ No	✓ Yes
GPU resistant	Strong	Moderate	Strong
TMTO resistance	Moderate	N/A	Strong
Year	2009	1999	2015
PHC winner	✗ No	✗ No	✓ Yes

Frequently Asked Questions

What is scrypt?

Scrypt is a password-based key derivation function designed by Colin Percival in 2009. It is specifically designed to be memory-hard, making it expensive to perform large-scale custom hardware attacks using ASICs or GPUs.

How does scrypt compare to bcrypt?

Both are adaptive password hashing functions, but scrypt adds memory-hardness. Bcrypt is CPU-hard only, while scrypt requires large amounts of memory, making it more resistant to GPU and ASIC attacks. Bcrypt is more widely adopted; scrypt is used in Litecoin and some security libraries.

What parameters should I use for scrypt?

OWASP recommends N=2^17 (131072), r=8, p=1 as a minimum for password storage. This uses approximately 128MB of memory. Increase N for higher security. The parameters must be tuned based on your server's available memory.

What is the N (cost) parameter?

N is the CPU/memory cost parameter and must be a power of 2. It determines how much memory scrypt uses: memory ≈ 128 × N × r bytes. Higher N means more memory and CPU time, making attacks more expensive.

What are the r and p parameters?

r (block size) controls the sequential memory read size. p (parallelism) allows independent mixing operations. Most implementations use r=8, p=1. Increasing r increases memory usage; increasing p allows parallel computation.

Is scrypt quantum-resistant?

Scrypt's memory-hardness provides some resistance to quantum attacks, as quantum computers don't have inherent advantages for memory-bound problems. However, no password hashing function is fully quantum-proof.

Where is scrypt used?

Scrypt is used in Litecoin mining, libsodium's password hashing, Django's password storage, and various cryptocurrency projects. It's also used in Tarsnap (online backup service) by its creator.