logo
CONVERTOOL
Loading search...

Online Bcrypt Hash Generator

Copy

Securely generate bcrypt hashes in your browser using our fast and private bcrypt hashing tool. No data leaves your device — hashes are computed entirely client-side using the bcryptjs library. Bcrypt is the industry-standard algorithm for password hashing in web applications.

What is Bcrypt?

Bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike fast cryptographic hashes (MD5, SHA-256), bcrypt is intentionally slow — and that is by design. It uses an adaptive cost factor (salt rounds) that can be increased as hardware gets faster, ensuring bcrypt remains resistant to brute-force attacks over time.

Bcrypt automatically generates and embeds a random salt into the hash, which means two identical passwords always produce different hashes. The resulting hash string includes the algorithm version, cost factor, and salt — everything needed to verify the password later.

Understanding Bcrypt Salt Rounds

The cost factor (salt rounds) controls how computationally expensive each hash is. Each increment doubles the work:

  • Cost 10: ~100ms per hash — recommended minimum for production
  • Cost 12: ~400ms per hash — suitable for high-security applications
  • Cost 14: ~1.5s per hash — for very high-value credentials
  • Cost 6: Suitable for development/testing only — too fast for production

Bcrypt vs Scrypt

  • Memory: Bcrypt is CPU-bound; scrypt is memory-hard (harder for GPUs)
  • Support: Bcrypt is built into more frameworks (Passport.js, Devise, Spring Security)
  • Input limit: Bcrypt truncates at 72 bytes; scrypt has no such limit
  • Recommendation: Both are OWASP-approved; use bcrypt for compatibility, scrypt/Argon2 for new systems

Tool Features

  • Hash passwords with adjustable salt rounds (cost factor)
  • Instant client-side processing — no server, no logging
  • Output in standard bcrypt format ($2b$...)
  • No server-side dependency — fully browser-based
  • Free with no usage limits or signup

How to Use This Tool

  1. Type your password in the text box.
  2. Set the cost factor (10 is recommended for production).
  3. The bcrypt hash is generated in your browser — this may take a moment at higher cost factors.
  4. Copy the full hash string, including the $2b$ prefix.

Frequently Asked Questions

What is bcrypt?

Bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. It is intentionally slow and includes a work factor (cost factor) that can be increased over time as hardware gets faster — keeping it resistant to brute-force attacks even as computing power grows.

What are bcrypt salt rounds?

Salt rounds (also called the cost factor or work factor) determine how many times bcrypt runs its key expansion phase. Each increment doubles the computation time: cost 10 takes twice as long as cost 9. The recommended minimum is 10 for production use; 12 is common for high-security applications. Cost 14+ is appropriate for very high-value credentials.

bcrypt vs scrypt: which is better?

Both are secure for password hashing. Bcrypt is CPU-bound and widely supported across languages and frameworks. Scrypt is memory-hard — it requires large amounts of RAM in addition to CPU time, making GPU-based attacks significantly harder. For new systems with no legacy requirements, scrypt or Argon2 are often preferred. For compatibility with existing auth libraries (e.g., Passport.js, Devise), bcrypt is usually the practical choice.

Can bcrypt be reversed?

No. Bcrypt is a one-way hash function. However, an attacker can attempt to crack it by trying many inputs (brute force), which is why the work factor matters. The higher the cost factor, the more time each guess takes, making exhaustive attacks impractical.

Why does bcrypt have a 72-character input limit?

Bcrypt is derived from the Blowfish cipher which has a 72-byte key limit. Any input longer than 72 bytes is silently truncated. If your passwords might exceed 72 characters, consider pre-hashing the password with SHA-256 before passing it to bcrypt, though this is a rare concern for most applications.

Is bcrypt suitable for storing API keys or tokens?

Bcrypt is designed for passwords, not general-purpose data. Its intentional slowness makes it poor for high-throughput token lookups. For API key storage, use HMAC-SHA-256 or store a salted SHA-256 hash which is fast to verify but still prevents plaintext exposure.

Online Hashing Tools and Services

Need to hash something online quickly? Check out our collection of trusted online hashing tools: