Bcrypt Hash Generator
Generate and verify bcrypt password hashes with a configurable cost factor. Server-side processing.
About bcrypt Password Hashing
bcrypt is a password hashing function specifically designed for securely storing passwords. Unlike general-purpose hash functions like MD5 or SHA-256 (which are designed to be fast), bcrypt is intentionally slow and computationally expensive, making brute-force attacks impractical.
Why bcrypt instead of MD5 or SHA?
General-purpose hash functions can compute billions of hashes per second on modern hardware. This makes them unsuitable for password storage — an attacker who obtains a database of MD5-hashed passwords can crack most of them in minutes using GPUs and precomputed rainbow tables.
bcrypt addresses this in two ways:
- Cost factor (work factor) — bcrypt includes a configurable "cost" parameter that controls how many iterations of the algorithm run. Higher cost = exponentially more computation. As hardware gets faster, you increase the cost factor to compensate.
- Built-in salt — bcrypt automatically generates a unique random salt for each hash. This means two identical passwords will have completely different hashes, making precomputed rainbow tables useless.
Cost factor guide
- Cost 10 — Standard default; approximately 100ms per hash on a modern server. Suitable for most applications.
- Cost 12 — Recommended for high-security applications; approximately 400ms per hash.
- Cost 14+ — Very high security; may cause noticeable delays for users in interactive login flows.
Reading a bcrypt hash
A bcrypt hash looks like: $2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj/fRq8HtqsW
$2b$— Version identifier12$— Cost factor (212 = 4,096 iterations)- Next 22 characters — The random salt
- Remaining characters — The hash itself