Bcrypt Generator & Verifier
Hash strings with bcrypt and verify hashes. Configurable cost rounds. Runs entirely in your browser — nothing is sent to a server.
Hash strings with bcrypt and verify hashes. Configurable cost rounds. Runs entirely in your browser — nothing is sent to a server.
bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher. It was specifically designed to be slow and computationally expensive, making brute-force attacks infeasible. Unlike MD5 or SHA hashes, bcrypt is intentionally slow and includes a configurable work factor (cost rounds).
bcrypt hashes include the algorithm identifier, cost factor, a 128-bit salt, and the 184-bit hash, all in a single string. This means you don't need to store the salt separately — it's embedded in the hash.
This tool is intended for testing and development, not for production password hashing. Production password hashing should always happen server-side. Client-side hashing can provide a layer of protection but should not be the only security measure. This tool's data never leaves your browser.
bcrypt generates a random salt each time you hash a string. The salt is included in the output hash. This means the same password hashed twice will produce different hashes, but both can be verified against the original password because the salt is embedded in each hash.
The $2b$ prefix is the version identifier for the bcrypt algorithm. $2a$ and $2y$ are older variants. The number after the second $ (e.g., $2b$10$) is the cost factor (rounds). The rest is 22 characters of salt followed by 31 characters of the actual hash.