Stack Online Tools Logo

Bcrypt Hash Generator

Generate Hash

Generate a bcrypt hash from your text. Higher rounds provide better security but take longer to process.

Medium security - good for testing

Verify Hash

Check if a bcrypt hash matches the original text.

Comments

U
No comments yet. Be the first to comment!

Similar Encoding & Decoding

See All

Want to Support?

Buy me a coffee

What is Bcrypt?

Bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. It was specifically created to protect passwords against rainbow table attacks and brute-force search attempts. Unlike fast message-digest algorithms like MD5 or SHA-256, Bcrypt is intentionally slow and computationally expensive.

Bcrypt is based on the Blowfish cipher and incorporates a "work factor" (or cost) that allows the algorithm to remain secure even as computing power increases. This adaptability makes it one of the most enduring and trusted ways to store passwords securely in modern web applications.

Understanding the Bcrypt Hash Structure

A standard Bcrypt hash is a string of 60 characters that contains all the information needed to verify a password. It looks like this:

$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

This string is broken down into four parts:

  • Prefix ($2y$): Identifies the Bcrypt version being used. Common versions are $2a$, $2b$, and $2y$.
  • Cost Factor (10): A number typically between 4 and 31 that defines the number of rounds (2cost). A cost of 10 means 210 (1,024) rounds. Increasing this by 1 doubles the time it takes to generate the hash.
  • Salt: The next 22 characters. This is a random string generated for each password to ensure that identical passwords result in different hashes.
  • Hash: The final 31 characters. This is the result of the hashing process using the password, salt, and cost factor.

Bcrypt vs. Other Algorithms

  • Bcrypt vs. MD5/SHA-256: MD5 and SHA-256 are generalized hashing algorithms designed for speed. They can calculate millions of hashes per second, making them extremely vulnerable to brute-force attacks if used for passwords. Bcrypt is designed to be slow, calculating only a few hashes per second, which makes cracking it prohibitively expensive.
  • Bcrypt vs. Argon2: Argon2 is the winner of the 2015 Password Hashing Competition and is considered the modern successor to Bcrypt. It offers better resistance against GPU-based attacks by being "memory-hard". However, Bcrypt remains widely used, trusted, and fully sufficient for most standard applications.
  • Bcrypt vs. PBKDF2: PBKDF2 is another adaptive algorithm often used in government systems (FIPS compliance). While secure, it is generally considered easier to accelerate with GPUs than Bcrypt.

Key Features of Bcrypt

  • Adaptive Security: The work factor can be increased over time. If computers become 1000x faster, you can simply increase the cost factor to make the hash 1000x slower to calculate, maintaining the same security margin.
  • Built-in Salting: Bcrypt implementation handles salting automatically. You never need to manage salts manually; they are part of the resulting hash string.
  • Rainbow Table Resistance: Because every password has a unique random salt, pre-computed tables (rainbow tables) are useless against Bcrypt.

How to Use This Tool

Generating a Hash

  1. Enter Text: Type the password or text you wish to securely hash.
  2. Adjust Rounds (Work Factor): Select a cost factor between 4 and 15 (default is usually 10 or 12).
    • Lower (e.g., 8-10): Faster generation, suitable for older hardware.
    • Higher (e.g., 12-14): Slower generation, significantly more secure against brute-forcing.
  3. Generate: Click "Generate Hash". The tool will output the full Bcrypt string.

Verifying a Hash

Since Bcrypt generates a random salt every time, hashing the same password twice results in two different strings. To check if a password is correct, you must use the Verify function:

  1. Enter Hash: Paste the stored Bcrypt hash (starting with $2...).
  2. Enter Text: Type the password you want to test.
  3. Click Verify: The tool will extract the salt and cost from the hash, re-compute the hash for the input text, and compare the result.

Security Best Practices

  • Always Use HTTPS: Hashing protects passwords in the database, but HTTPS protects them while traveling from the user's browser to your server.
  • Don't Roll Your Own: Always use established libraries (like bcrypt.js, bcrypt-ruby, PyBcrypt) rather than trying to implement the algorithm yourself.
  • Re-hash on Login: If you decide to increase your work factor from 10 to 12, configure your login system to re-hash and update the user's password entry whenever they successfully log in.
  • Server-Side Validation: While this tool runs in the browser for demonstration, real application hashing should always happen on your secure server.

© 2025 Stack Online Tools. All rights reserved.