bcrypt Generator: Hash & Verify Passwords Online
This bcrypt generator turns any password into a secure bcrypt hash and verifies whether a password matches an existing hash — right in your browser. It is built for developers who need to seed a database, test a login flow, or check a stored bcrypt hash without spinning up code.
bcrypt is a deliberately slow password-hashing algorithm with a built-in salt, which makes hashes far harder to brute-force than fast functions like MD5 or SHA-256. Pick a cost factor from 4 to 31, switch between Generate and Verify, and the tool handles the rest with the bcryptjs library.
How to Use the bcrypt Generator
Pick Generate or Verify
Use the Generate tab to create a new hash from a password, or the Verify tab to check whether a password matches an existing bcrypt hash.
Enter your input
Type the password to hash. In Verify mode, also paste the bcrypt hash you want to check it against. Click Sample Data to fill in example values fast.
Choose a cost factor
Set the Cost Factor (rounds) for new hashes. The default of 12 suits most production apps, and a color-coded badge shows the security level for your choice.
Generate or verify
Click Generate Hash to produce the hash, then copy it with one tap. In Verify mode, click Verify Password to see a green Match or red Mismatch result.
Anatomy of a bcrypt Hash
Every hash this tool generates uses the modern $2b$ version and packs the algorithm, cost, salt, and digest into a single string:
$2b$12$WApznUPhDubN0oeveSFPpOLo0dVMFJ.3CC9TmGkMxLFvnEGbgm4jq
$2b$ — Version
The algorithm identifier. 2b is the current standard; the tool generates 2b hashes and can verify 2a, 2b, and 2y.
12 — Cost factor
The number of rounds, where iterations = 2^cost. A cost of 12 means 2^12 = 4,096 iterations per hash.
Salt — Next 22 chars
A unique random salt, Base64 encoded, generated for every hash to defeat precomputed rainbow tables.
Hash — Final 31 chars
The Base64-encoded digest of your password combined with the salt at the chosen cost.
Features
Generate & Verify Modes
Create a fresh bcrypt hash from a password, or switch tabs to check whether a password matches an existing hash.
Adjustable Cost Factor
Choose any cost from 4 to 31 rounds to balance hashing strength against generation speed.
Security Level Badge
A color-coded badge labels each cost as Low, Medium, Recommended, High, or Very High at a glance.
Hash Details Breakdown
Each result shows the algorithm version and cost factor so you can read the hash at a glance.
Generation Time
The exact time taken is displayed for every hash and check, so you can gauge the cost of higher rounds.
Multi-Version Verify
Verify mode accepts $2a$, $2b$, and $2y$ hashes and flags invalid formats.
One-Click Copy
Copy the generated hash to your clipboard with a single tap, ready to paste into your code or database.
Sample Data & Clear
Load example values to test instantly, then clear the fields to start over whenever you like.
100% Client-Side
Everything runs in your browser with the bcryptjs library — no password ever leaves your device.
Choosing the Right Cost Factor
Higher rounds mean stronger hashes but slower generation. Use these ranges as a starting point and adjust to your hardware:
| Rounds | Level | Use Case |
|---|---|---|
| 4–9 | Low | Development and testing only |
| 10–11 | Medium | Low-security applications |
| 12–13 | Recommended | Production applications |
| 14–17 | High | High-security systems |
| 18–31 | Very High | Maximum security (slow generation) |
Frequently Asked Questions
How do I generate a bcrypt hash?
On the Generate tab, type your password, pick a cost factor (12 is a good default), and click Generate Hash. The bcrypt hash appears instantly, and you can copy it with one tap.
Can you decrypt or reverse a bcrypt hash?
No. bcrypt is a one-way hashing algorithm, not encryption, so a hash cannot be turned back into the original password. The only way to confirm a password is to hash it again and compare — which is exactly what the Verify tab does.
How do I verify a password against a bcrypt hash?
Switch to the Verify tab, enter the password, paste the bcrypt hash, and click Verify Password. The result shows a green Match if the password produces that hash or a red Mismatch if it does not.
Why does the same password produce a different hash each time?
bcrypt embeds a unique random salt in every hash, so even identical passwords generate completely different strings. This is by design — it defeats precomputed rainbow-table attacks. Verification still works because the salt is stored inside the hash itself.
What are salt rounds and the cost factor?
The cost factor (also called rounds) controls how much work bcrypt does: iterations equal 2 raised to the cost. A higher number makes hashing exponentially slower and therefore harder to brute-force. For most production apps, 12 rounds balances security and performance well.
What is the difference between $2a$, $2b$, and $2y$?
$2a$ is the original specification, $2b$ is the updated version that fixes long-password handling, and $2y$ is PHP's identifier. All three are compatible — this tool generates $2b$ hashes and can verify all three formats.
Is there a maximum password length?
bcrypt processes up to 72 bytes of input and silently truncates anything longer. This is rarely an issue, but if you need to hash very long passphrases, pre-hash them with SHA-256 before applying bcrypt.
Is my password safe when using this tool?
Yes. All hashing and verification happen entirely in your browser with the bcryptjs library — your password is never sent to any server. You can confirm this by using the tool while disconnected from the internet.
No comments yet. Be the first to comment!