Bcrypt Generator

Generate bcrypt hashes with configurable cost factor (4–15). Shows estimated computation time per cost level. Visual hash anatomy breaking down the version, cost, salt, and hash portions. Cost factor guide shows recommended settings. Verify passwords against existing bcrypt hashes. Explains why bcrypt is superior to SHA for password storage.

Why Bcrypt?

Bcrypt is designed for password hashing. It's intentionally slow and includes a salt to prevent rainbow table attacks. Unlike SHA (which is fast, allowing billions of guesses/second), bcrypt's work factor can be increased as hardware improves to maintain security.

Hash Anatomy

$2a$10$N9qo8uLOickgx2ZMRZoMy.Mr/F9p8q4q4q4q4q4q4q4q4q4q4q4q4q

$2a$: Version (2a, 2b, 2y). $10$: Cost factor (2^10 = 1,024 rounds). N9qo8uLOickgx2ZMRZoMy.: Salt (22 characters). Mr/F9p8q4q4q4q4q4q4q4q4q4q4q: Hash (31 characters).

Cost Factor Guide

Cost 4-7: Too weak — not recommended. Cost 8: ~40ms, minimum for development. Cost 10: ~100ms, recommended for standard web apps. Cost 12: ~400ms, for high-security systems. Cost 14-15: ~1-3 seconds, for maximum security.

Verification

Enter a password and a bcrypt hash to verify if they match. The tool extracts the salt from the hash and recomputes the hash for comparison. Useful for debugging stored passwords and testing implementations.

Security Best Practices

Always use bcrypt for password storage (or Argon2id). Never use MD5 or SHA1 for passwords. Use cost factor that keeps hash time under 100ms on your servers. Increase cost factor over time as hardware improves.