Bcrypt Hash Generator & Verifier

Generate and verify bcrypt hashes in your browser. Bcrypt is the de-facto standard for storing passwords — slow by design, with per-password salt baked into the hash. Configurable cost factor (10-14) lets you tune the speed/security tradeoff.

How to use the Bcrypt Hash Generator & Verifier

Generate: type a password, pick a cost factor (10 is the modern default; 12 is safer if you can afford the latency; 14 is fortress-grade for important systems). The hash includes the salt and cost — store it as-is. Verify: paste a hash and a candidate password; the tool reports match or mismatch.

Why bcrypt instead of SHA-256

Plain SHA-256 of a password is crackable at billions of guesses per second on modern GPUs. Bcrypt is deliberately slow — cost=10 means roughly 100ms per hash, so an attacker can try ~10 hashes per second per core rather than 10 billion. Combined with a sufficiently complex password, bcrypt makes offline cracking impractical.

Argon2id (especially Argon2id with memory-hard parameters) is the newer recommendation, but bcrypt remains widely deployed and still safe at cost 12+. For new systems, prefer Argon2id; for existing systems on bcrypt, keep it and bump the cost factor every few years as hardware speeds up.

Frequently asked questions

What cost factor should I use?

10 to 12 is the common range in 2026. Higher is slower and more brute-force resistant, so pick the highest value your login latency budget tolerates.

Why does the same password produce a different hash each time?

Bcrypt generates a random salt per hash and stores it inside the output, so identical passwords hash differently. Verification reads the salt back out of the hash.

Is my password sent anywhere?

No. Hashing and verification run in your browser. Even so, never paste a real production password into any web tool; use it for testing only.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: