bcrypt Hash Generator & Verifier

Generate bcrypt password hashes and verify passwords against hashes. Runs entirely in your browser — no passwords are ever transmitted.

Generate Hash

Password

Salt rounds:(~1K hashes/s on modern hardware)

Verify Password

Passwordbcrypt Hash

About the bcrypt Hash Generator

bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999. It is intentionally slow — the cost factor (salt rounds) controls how many iterations the algorithm performs, making brute-force attacks exponentially more expensive as hardware improves. A salt rounds value of 10 performs 2¹⁰ = 1,024 iterations; 12 performs 4,096. This tool uses bcryptjs, a pure-JavaScript implementation that runs entirely in your browser.

bcrypt hashes are not reversible. Verification works by running the same algorithm with the same salt (embedded in the hash) and comparing the result. The full hash string (e.g., $2b$10$...) encodes the algorithm version, salt rounds, salt, and digest — everything needed for verification.

Your password never leaves your browser. This tool is safe to use with real passwords for testing purposes, but treat any generated hash as you would any sensitive value.

Frequently Asked Questions

What salt rounds should I use?

10 is the current industry default and a good starting point. Higher rounds are more secure but slower — 12 takes roughly 4× longer than 10. OWASP recommends at least 10 for bcrypt. Avoid values below 10 in production. Values above 12 may cause noticeable UI lag in the browser.

Is bcrypt the same as hashing with SHA-256?

No. SHA-256 is a fast general-purpose hash — it can compute billions of hashes per second on modern GPUs, making brute-force attacks feasible. bcrypt is intentionally slow and adaptive. For password storage, always use a slow algorithm: bcrypt, scrypt, or Argon2.

What does the $2b$10$ prefix mean?

$2b$ identifies the bcrypt algorithm version (2b is the current standard). 10 is the cost factor (salt rounds). The next 22 characters are the Base64-encoded salt, followed by the 31-character hash. The full string is 60 characters.

Can I reverse a bcrypt hash to get the original password?

No. bcrypt is a one-way function — there is no mathematical way to reverse it. Attackers must try candidate passwords one at a time (brute force or dictionary attack), which is exactly what the high cost factor is designed to prevent.