Generate and verify bcrypt password hashes online. Configure cost factor, match passwords instantly, and use secure hashing for developers.
Generate and verify bcrypt
password hashes instantly using this free online tool.
Supports configurable salt rounds (cost factor) and real-time password matching.
This tool also works as a bcrypt password verifier, allowing you to
match plain text passwords against existing bcrypt hashes.
Confused about whether bcrypt is still the right choice for modern applications?
Read my practical comparison of
Argon2 vs bcrypt vs scrypt, based on real-world implementations and security trade-offs.
Generate Bcrypt Hash
Verify Bcrypt Password
We do not store or log any data you enter. This tool runs entirely server-side with no persistence. Intended for personal and educational use — avoid using online tools for real production secrets.
Key Features of Bcrypt
Salted Hashing
Incorporates a random salt to protect against rainbow table attacks — same password produces different hashes every time.
Adaptive Cost Factor
Configurable work factor lets you increase computation time as hardware improves, staying ahead of brute-force attacks.
Blowfish-Based
Derived from the Blowfish cipher with an expensive key setup phase that adds inherent slowness.
Cross-Platform
Widely supported in Java, Python, Node.js, PHP, and more. See how to implement bcrypt in Spring Security.
Recommended Rounds: 12
Cost factor 12 balances security and performance for most apps. High-security systems may use 13+, as long as login times stay acceptable.
One-Way Hash
Bcrypt hashes are irreversible. Passwords are verified by re-hashing — the original value can never be recovered.
How Bcrypt Works
Salting
A cryptographically random salt is generated per password. The salt is combined with the plaintext before hashing, ensuring unique output even for identical inputs.
Hashing
The Blowfish cipher is applied to the salted password repeatedly, based on the cost factor. Each increment of cost doubles the computation time.
Storing
The final output encodes the cost factor, salt, and hash together in a single 60-character string — everything needed to verify future logins.
Bcrypt vs Argon2
While bcrypt is widely used and secure, modern applications increasingly adopt
Argon2id, which offers better resistance against GPU and ASIC attacks. For new
applications, OWASP recommends Argon2id as the preferred password hashing algorithm.
Try our Argon2 Password Hash Generator for modern password security.
Algorithm
Strength
GPU Resistance
Recommended For
Bcrypt
Strong
Moderate
Existing systems
Argon2id
Very Strong
High
New applications
Advantages
Brute-Force Resistant — slow hashing and salting make dictionary attacks impractical
Adjustable Work Factor — scale security as hardware improves without changing your code
Widely Trusted — battle-tested across millions of production systems for decades
Limitations
Intentionally Slow — can impact performance under high-volume authentication scenarios
72-Byte Limit — passwords longer than 72 bytes are silently truncated by bcrypt
No Memory Hardness — unlike Argon2id, bcrypt does not resist memory-efficient GPU attacks as effectively
Python Example
Here's a basic example of how bcrypt is used in code:
# Install: pip install bcrypt
import bcrypt
# Generating a salt and hashing
password = b"supersecret"
hashed = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12))
# Verifying a password
if bcrypt.checkpw(password, hashed):
print("Password match!")
else:
print("Password does not match.")
Usage Guide
Enter any plain text in the Generate panel and choose a salt round (12 is recommended). Click Generate Hash to produce the bcrypt hash.
The salt is random — the same password produces a different hash each time. This is expected and correct behavior.
To verify a password, paste the stored bcrypt hash and the candidate plain text in the Verify panel and click Match.
Hashes starting with $2a$ vs $2y$ are different bcrypt variants. Some older systems only accept $2a$. If verifying fails, check the prefix and cost factor match.
For migrating to newer rounds, re-hash the user's password on next login using the updated cost factor — no need to force a password reset.
Frequently Asked Questions
What is bcrypt used for?+
Bcrypt is a password hashing algorithm designed for secure password storage. It incorporates automatic salting and an adjustable cost factor to resist brute-force and rainbow table attacks. It is not suitable for encrypting data — only for one-way password hashing.
Is bcrypt still secure in 2025?+
Yes, bcrypt remains secure when used with an appropriate cost factor (12 or higher). However, Argon2id is OWASP's current recommendation for new applications because it offers memory-hard resistance against GPU-based attacks.
What bcrypt cost factor should I use?+
A cost factor of 12 is recommended for most modern systems — it hashes in roughly 250ms, which is acceptable for login flows. High-security systems may use 13 or 14, as long as server response times stay within user expectations. Benchmark on your own hardware to choose wisely.
Can bcrypt hashes be reversed or decrypted?+
No. Bcrypt is a one-way function — hashes cannot be reversed to retrieve the original password. Verification works by re-hashing the candidate password with the stored salt and comparing the result.
What is the difference between $2a$ and $2y$ bcrypt hashes?+
$2a$ is the original bcrypt prefix; $2y$ was introduced to fix a bug in PHP's implementation. Both are functionally equivalent in most modern libraries. If verifying fails across systems, check that the prefix and cost factor match what was used during generation.
Does bcrypt have a password length limit?+
Yes. Bcrypt silently truncates passwords longer than 72 bytes. For users with very long passphrases, this means only the first 72 bytes are hashed. If this is a concern, pre-hash the password with SHA-256 before passing it to bcrypt.
How does this tool keep my data private?+
This tool processes all hashing server-side and does not store, log, or transmit any input. No account is required. We recommend not using any online tool for production secrets — generate and store hashes within your own secure infrastructure.
