Bcrypt Hash Generator & Verifier
Generate bcrypt password hashes with an adjustable cost factor, and check whether a password matches an existing bcrypt hash.
Hash any password with bcrypt at a cost factor from 4 to 15, with the time taken shown after each run so you can see what a given work factor costs. The Verify tab takes a password and an existing hash and tells you whether they match, which is handy for debugging login code or checking values stored in a database.
Bcrypt is the default password hashing scheme in frameworks like Laravel, Spring Security, Devise, and countless Node.js apps. Unlike fast digests such as SHA-256, bcrypt is deliberately slow and tunable: the cost factor sets the number of key expansion rounds to 2^cost, so each increment doubles the work an attacker must do per guess. This tool runs the bcryptjs implementation in your browser, generating hashes in the standard $2b$ modular crypt format that drops straight into a database column or a test fixture.
The Hash tab takes a password and a cost factor between 4 and 15 (10 is the common production default) and reports how long the computation took. That timing readout is the practical way to choose a cost: pick the highest value your login endpoint can tolerate, often targeted around 100 to 250 milliseconds on server hardware. Note that browser JavaScript is slower than a native server implementation, so costs above 12 can take several seconds here even though they are fine in production.
The Verify tab answers the question hashing alone cannot: does this password correspond to this stored hash? Because every bcrypt hash embeds its own random salt and cost, verification reads those parameters out of the hash string itself, recomputes, and compares. Paste a hash from your users table, type the candidate password, and you get a clear match or no-match result without writing a throwaway script.
- 1
Enter a password and pick a cost
Type the password on the Hash tab and set the cost factor with the slider. The cost choice is remembered for your next visit; the password never is.
- 2
Generate the hash
Click Hash. The browser computes the bcrypt hash with a fresh random salt and shows the result along with how long the computation took.
- 3
Copy or verify
Copy the hash for your database or fixture, or switch to the Verify tab to test a password against any existing bcrypt hash.
Seed test users
Generate hashes for fixture accounts in a development database without spinning up the application's registration flow.
Debug a failing login
Paste the stored hash from the users table and the password the user claims to be typing to confirm whether they actually match.
Reset an admin password directly
Produce a hash for a known password and write it into the database when an app's reset flow is broken or unavailable.
Benchmark cost factors
Compare the timing readout at different costs to build intuition for how each increment doubles the hashing work.
Why do I get a different hash for the same password every time?
Each run generates a fresh random 128-bit salt, which is embedded in the output string. Two hashes of the same password therefore look completely different, but both verify correctly because comparison reads the salt back out of the hash.
What does the cost factor actually control?
It is an exponent: cost 10 means 2^10 = 1,024 rounds of bcrypt's key expansion. Each increment doubles the computation time for you and for an attacker guessing passwords. Production systems commonly use 10 to 12.
What is the difference between $2a$ and $2b$ prefixes?
Both identify bcrypt variants. $2a$ is the original OpenBSD revision; $2b$ fixed a wraparound bug in handling inputs longer than 255 bytes. This tool emits $2b$, and verification accepts $2a$, $2b$, and $2y$ hashes interchangeably for normal-length passwords.
Is there a length limit on the password?
Yes. Bcrypt only uses the first 72 bytes of the password; anything beyond that is silently ignored, so two passwords sharing the same first 72 bytes produce matching hashes. Some frameworks pre-hash long passwords to work around this.
Is it safe to type a real password here?
The hashing runs entirely in your browser with the bcryptjs library. The password is never sent anywhere, never written to localStorage, and exists only in the page's memory until you close or reload the tab.