Skip to main content
lab.golamrabbani.org

Bcrypt Generator

Generate or verify bcrypt password hashes in your browser with a tunable cost factor.

Written by Golam Rabbani, Founder & Lead Engineer

Bcrypt runs entirely in your browser via the bcryptjs library. Nothing is uploaded. Use this for ad-hoc password hashing, fixture data, or quick verification — not as your application's authentication layer.

Range 4–14. Each step doubles the work. Higher rounds = slower but stronger.

How to use this bcrypt generator

  1. Pick a mode: Hash to create a new bcrypt hash, or Verify to test a plain text against an existing hash.
  2. In Hash mode, type the plain text and drag the cost slider between 4 and 14 (10 is the sane default).
  3. In Verify mode, type the plain text and paste the bcrypt hash (60 chars starting with $2a$, $2b$, or $2y$).
  4. Press Generate hash or Verify match. Higher cost = slower work but stronger protection against brute force.
  5. Use Copy hash to put a freshly generated digest on your clipboard, or Reset to clear inputs.

About this bcrypt generator

This bcrypt generator runs the bcryptjs library entirely in your browser, so plain text and hashes never leave the page. Bcrypt is a deliberately slow, salted password-hashing function: the cost factor (rounds) controls how many key-derivation iterations are performed, doubling with each step. Cost 10 (1,024 iterations) is the modern baseline; cost 12–14 is appropriate when you can spare the CPU. Each hash is 60 characters long, encodes the algorithm version, the cost, a 16-byte salt, and the 23-byte digest, so storing the hash alone is enough to verify later.

Worked example: hashing the passphrase "correct horse battery staple" at cost 10 produces a string like "$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy". Re-running the hash returns a different string because a fresh random salt is generated, but Verify mode will still report a match when given the original passphrase. Bcrypt only considers the first 72 bytes of input, so longer passwords are silently truncated — the tool warns you when that happens. This page is a hashing utility for development, fixtures, and ad-hoc verification; never rely on a client-side tool as your production authentication layer, and never paste real user secrets into a third-party page.

FAQ

Why does the same input produce a different bcrypt hash every time?
Bcrypt generates a fresh 16-byte random salt on every call. The salt is embedded in the output string, so verification still works — the algorithm reads the salt out of the stored hash and recomputes the digest from your candidate password.
What cost (rounds) should I choose?
Cost 10 is the modern default and finishes in roughly 100 ms in a browser. Cost 12 takes ~400 ms and is a reasonable upgrade for new systems. Cost 14 is ~1.6 s and starts to be noticeable on a login form. Never go below 10 for new applications.
Is my password sent to a server?
No. The bcryptjs library runs in your browser via JavaScript. The plain text, salt, and resulting hash all stay on this page; nothing is uploaded, logged, or transmitted.
Why does Verify say no-match for a clearly correct password?
Common causes: a leading or trailing whitespace in the plain text, a truncated or extra character in the pasted hash, a password longer than 72 bytes (bcrypt ignores the tail), or an unusual hash variant like $2x$ that this tool does not recognise.
Can I use this hash in my Node, PHP, or Python backend?
Yes. Bcrypt hashes are portable across implementations — a hash generated here verifies correctly against node-bcrypt, PHP password_verify, Python bcrypt, Ruby bcrypt, Go x/crypto/bcrypt, and others. Just store the full 60-character string.
Is bcrypt still a good choice in 2026?
Bcrypt is still considered safe for password hashing when tuned to a cost of at least 10. Argon2id is the modern recommendation from OWASP and is preferred for new systems, but bcrypt remains an acceptable fallback and is everywhere in legacy code.