Bcrypt Generator & Checker

BCRYPT CRYPTO PASSWORDS
Share:

Hash passwords with bcrypt and verify hashes — adjustable cost factor, all client-side.

RT-CW3-004 · Crypto & Web3

Bcrypt Generator Tool

Privacy: All bcrypt hashing happens inside your browser via self-hosted bcryptjs (no third-party CDN). Your password never leaves this page. For production password storage, run bcrypt server-side — this tool is for testing, debugging, and learning.
10 ~100ms
Advertisement
After results · AD-W1 Responsive · Post-tool — peak engagement

How to use the bcrypt generator

Hash mode

Enter a password and pick the cost factor (4–14). Higher cost = slower = harder to brute-force. Production password databases in 2026 typically use cost 10–12.

Read the hash

Output is the standard $2a$<cost>$<salt><hash> format that PHP's password_verify(), Node.js bcrypt libraries, and every other ecosystem speak natively.

Verify mode

Paste any bcrypt hash and a candidate password — the tool checks the salt and cost from the hash itself, recomputes, and tells you whether the password matches.

Note the same-password-different-hash rule

bcrypt includes a random 16-byte salt in every hash output. Hashing "hunter2" twice produces two different hashes — both verify back to the same password. This is by design.

Advertisement
After how-to · AD-W2 Responsive

bcrypt — the password-storage standard that has aged well

bcrypt was designed in 1999 by Niels Provos and David Mazières for OpenBSD, specifically to replace the then-common crypt(3) DES-based password hashing that had become broken by Moore's Law. Twenty-six years later it remains the most-deployed password hashing scheme on the web — used by Laravel, Django, Rails, Express, every WordPress install, every major SaaS authentication stack. Its central insight: make the hash function deliberately slow, then make the slowness tunable so it can scale with hardware improvements. Hash a million passwords at cost 4? Fast. Hash a million passwords at cost 14? You're paying a thousand seconds per hash. An attacker brute-forcing leaked hashes pays the same cost — but you only do it once per login, while the attacker does it billions of times.

How bcrypt actually works

The construction is based on a modified Blowfish cipher. The "EksBlowfish" key schedule is run 2^cost times with the password and a 16-byte salt as input, producing a stretched key. That key is then used to encrypt the literal string "OrpheanBeholderScryDoubt" 64 times, and the result is encoded in bcrypt's custom radix-64 alphabet alongside the cost and salt. The output is a single 60-character string starting with $2a$ or $2b$ (the variant identifier), followed by the cost, salt, and hash. Verifying a password is the same operation — extract cost and salt from the candidate hash, recompute, and compare. The cost factor is the binary log of the iteration count; cost 10 means 2^10 = 1,024 iterations, cost 12 means 4,096 iterations.

The 72-byte limit

bcrypt has a quirk that catches developers off guard: it silently truncates passwords longer than 72 bytes. A user setting an 80-character passphrase ends up with the first 72 bytes hashed — the last 8 don't affect the hash. Two passwords that share the first 72 bytes produce identical hashes. This is a property of the underlying Blowfish key schedule. The common workaround is to pre-hash long passwords with SHA-256 or SHA-512 before passing them to bcrypt, producing a fixed 32 or 64-byte input. Modern libraries like Argon2 do not have this limit.

MAS and BNM password-storage guidance

Singapore's MAS Technology Risk Management Guidelines and Malaysia's BNM RMiT guidelines both reference password storage requirements without prescribing a specific algorithm — they require "use of strong, salted, adaptive hashing." bcrypt at cost ≥10, Argon2id with reasonable parameters, and scrypt with appropriate memory factor all satisfy this. What does NOT satisfy: plain SHA-256, MD5, SHA-1, or any unsalted hash. Both regulators audit-flag any ASEAN-licensed fintech caught using MD5 or unsalted SHA-256 for password storage. bcrypt is the path-of-least-resistance compliant choice; Argon2id is the more-modern alternative recommended for new builds.

bcrypt vs Argon2 vs scrypt — picking in 2026

If you're building a new system today: Argon2id with 64MB memory cost and t=3 iterations is the Password Hashing Competition winner (2015) and the recommended modern default. scrypt (2009) was a step between bcrypt and Argon2 — better memory-hardness than bcrypt but harder to tune than Argon2. bcrypt remains the safest "boring" choice — it's been deployed for 26 years without a major break, every language has a mature implementation, and the cost-tuning model is well-understood. If your stack has Argon2 readily available (PHP 7.2+, .NET 5+, Node.js Argon2 package), use it. If not, bcrypt at cost 12 is still defensible for new code in 2026.

10 bcrypt and password-hashing facts

01

bcrypt was published in 1999 by Niels Provos and David Mazières at USENIX, specifically for the OpenBSD password file. 26 years later it remains uncracked at cost ≥10.

02

The cost factor is logarithmic — cost 12 takes 16x longer than cost 8, not 1.5x. Doubling cost roughly doubles hash time on the same hardware.

03

bcrypt silently truncates inputs longer than 72 bytes. Long passphrases get reduced to their first 72 bytes — most modern frameworks pre-SHA256 the input to avoid this.

04

The "$2a$" prefix dates to 1999. "$2b$" was added in 2014 to fix a bug in the OpenBSD implementation that affected very long passwords. Most libraries accept either prefix.

05

bcrypt's encoded radix-64 alphabet is NOT standard base64 — it uses ./ instead of +/ and different ordering. Passing a bcrypt hash through standard base64 decoders mangles it.

06

Argon2id won the Password Hashing Competition in 2015. It's faster than bcrypt at equivalent security and includes memory-hardness against GPU attacks. PHP 7.2+ and modern languages support it.

07

PHP's password_hash() and password_verify() default to bcrypt since PHP 5.5. From PHP 7.2 they can also use Argon2i and Argon2id by setting PASSWORD_ARGON2I or PASSWORD_ARGON2ID.

08

MAS Singapore and BNM Malaysia both require adaptive password hashing for licensed financial services. bcrypt at cost ≥10 satisfies both regulators; MD5 and plain SHA-256 trigger audit findings.

09

The 2012 LinkedIn breach exposed 6.5 million SHA-1 hashes (unsalted). 90% were cracked within a week. The breach drove industry-wide migration to bcrypt and similar adaptive schemes.

10

A modern GPU can compute about 100 million plain SHA-256 hashes per second. At bcrypt cost 10, the same GPU does about 5,000 hashes per second — a 20,000x slowdown.

Frequently asked questions

bcrypt embeds a random 16-byte salt in every hash output. The salt makes the resulting hash unpredictable so two users with the same password don't end up with identical hashes — defeating rainbow tables. Verifying works because the salt is stored inside the hash itself.
10 was the safe default for many years; 12 is the modern recommendation for new builds. Cost 12 takes around 250ms per hash on commodity hardware in 2026 — fast enough not to annoy users on login, slow enough to make brute-force impractical.
The Blowfish-derived key schedule processes only the first 72 bytes of input. Any longer password is silently truncated. To handle long passphrases safely, pre-hash with SHA-256 or SHA-512 before bcrypt — this is what Django, Rails, and modern Node.js libraries do automatically.
If you're building new and your stack supports Argon2id, prefer it — better memory-hardness against GPU attacks. If you have working bcrypt in production at cost ≥10, the security benefit of migration is marginal and the migration cost (re-hashing on next login) is non-trivial. "Working bcrypt at cost ≥10" is not a compliance gap.
No — this is a learning and testing tool. Production password hashing should happen on your server, never in the user's browser. A browser-based hash means any malicious extension or XSS bug can intercept the password before it's hashed.
$2a$ is the original prefix (1999). $2b$ was introduced in 2014 to flag the fixed implementation that correctly handles very long passwords past the historic bug. Most modern libraries verify both prefixes interchangeably.
No — bcrypt is not on the FIPS 140-3 approved algorithm list. PBKDF2 is the FIPS-approved alternative for password derivation. For US government and regulated-industry contexts that require FIPS compliance, use PBKDF2-HMAC-SHA256 with high iteration count. For everyone else, bcrypt is fine.
The candidate hash already contains the cost factor and the random salt. Verification extracts both, runs the same expensive computation on the supplied password, and compares the result to the stored hash. Same cost, same salt, same password → same hash. This is why bcrypt is deterministic given identical inputs.
An additional server-side secret appended to the password before bcrypt-hashing. The salt protects against rainbow tables and pre-computation; the pepper protects against attackers who steal the database but not the application config. A defense-in-depth measure, optional but recommended for high-value targets.
Self-hosted bcryptjs v2.4.3 — a pure-JavaScript bcrypt implementation that runs in any modern browser. No third-party CDN, no remote network calls. The 21KB file is served from this site's own domain.

Related News

You may be interested in these recent stories from our newsroom.

View all news →
Advertisement
Pre-footer · AD-W3 728 × 90

75 more free tools

Calculators, converters, security tools — no signup.

Browse all tools → Latest news