Bcrypt Generator
Generate secure bcrypt password hashes with configurable salt rounds (cost factor 4–16). Verify passwords against existing bcrypt hashes. View hash breakdown including version, cost factor, salt, and timing. All hashing runs locally in your browser using bcryptjs — your passwords never leave your device.
Cost Factor (Salt Rounds)
Recommended — good balance — 212 iterations
infoBcrypt Hash Format
A bcrypt hash like $2a$12$salt22charshere...hash31chars contains:
- $2a$ — Algorithm version (2a, 2b, or 2y)
- $12$ — Cost factor (2^12 = 4096 iterations)
- Next 22 chars — Base64-encoded salt
- Remaining 31 chars — Base64-encoded hash
Secure Password Hashing with Bcrypt — Free & Private
Password security begins with proper hashing. Bcrypt is the gold standard for password hashing — used by Ruby on Rails, Django, Spring Security, and most security-conscious frameworks. Unlike MD5 or SHA-256, bcrypt is intentionally slow, making brute-force attacks computationally prohibitive.
Our Bcrypt Generator lets you hash passwords with a configurable cost factor (4–16 rounds), verify passwords against existing hashes, and understand the bcrypt hash format. The timing display shows exactly how long each hash takes, helping you choose the right cost factor for your application.
Everything runs 100% in your browser using bcryptjs — your passwords are never sent to any server. This makes it safe for testing with real passwords during development, verifying production hashes, and learning how bcrypt works.
Features
Frequently Asked Questions
What is bcrypt?
Bcrypt is a password hashing function based on the Blowfish cipher. Unlike fast hash algorithms (MD5, SHA-256), bcrypt is intentionally slow and includes a configurable cost factor, making brute-force attacks significantly harder. It also automatically generates and embeds a unique salt in each hash.
What cost factor (rounds) should I use?
For most applications, a cost factor of 10–12 is recommended. Each increment doubles the computation time (12 is 4× slower than 10). Use 10 for general web apps, 12 for sensitive systems, and higher values only if you can tolerate the latency. Never go below 10 in production.
Is it safe to generate bcrypt hashes in the browser?
Yes — this tool runs entirely client-side. Your password never leaves your browser. This is safe for testing and development. For production systems, always generate hashes server-side with a proven library.
Why is the same password generating different hashes?
That is by design. Bcrypt automatically generates a random salt for each hash, so the same password always produces a different hash string. This prevents rainbow table attacks. Use the verify function to check if a password matches any specific hash.
Can I reverse a bcrypt hash to get the original password?
No. Bcrypt is a one-way function — you cannot reverse the hash to recover the password. The only way to check a password is to hash it with the same salt and compare. This is exactly what the verify function does.
What does a bcrypt hash string contain?
A bcrypt hash like $2b$12$LJ3m4ys… contains: the version ($2b$), the cost factor ($12$), a 22-character encoded salt, and a 31-character encoded hash — all in one portable string. No separate salt storage is needed.
Related Tools
ManagedSSH
A free, open-source SSH client and connection manager for the terminal. Encrypted vault, host profiles, and keyboard-driven TUI — the best Termius & PuTTY alternative for Linux and macOS.
code_blocksJSON Formatter
Format, beautify, validate, and minify JSON online for free. Tree-view navigation, syntax highlighting, and instant error detection — 100% private.
codeHTML Viewer
Write HTML, CSS, and JavaScript in separate editors and see a live preview. Perfect for prototyping, testing snippets, and learning web development.