Bcrypt is a password hashing function designed by Niels Provos and David Mazières in 1999. It incorporates a salt to protect against rainbow tables and is deliberately slow (configurable via cost factor) to resist brute-force attacks.

What cost factor should I use?

A cost of 10 is a widely used default. Cost 12 is recommended for new applications in 2024. Higher costs increase security but also increase hashing time. The hashing time should target 100–300ms on your production hardware.

Bcrypt Password Generator & Checker

Bcrypt is the gold standard for password hashing. Unlike MD5 or SHA-1, bcrypt is intentionally slow — it includes a configurable cost factor that determines how many rounds of hashing to perform, making brute-force attacks dramatically more expensive as hardware gets faster. It also automatically incorporates a random 128-bit salt, protecting against rainbow table attacks.

Bcrypt Hash Format

A bcrypt hash looks like: $2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

$2b$ — bcrypt version identifier
10 — cost factor (2^10 = 1024 rounds)
Next 22 chars — base64-encoded 128-bit salt
Remaining 31 chars — the hash

Choosing the Right Cost Factor

Cost 10 — default, ~100ms on modern hardware
Cost 12 — recommended for new applications
Cost 14 — high security, ~1600ms (may be too slow for interactive login)
Target: hash should take 100–300ms on your production server

Frequently Asked Questions

Is bcrypt still the best choice?

Bcrypt remains an excellent choice and is widely supported. Argon2 (winner of the Password Hashing Competition in 2015) is considered the newer standard, especially Argon2id. Both are vastly superior to MD5, SHA-1, and SHA-256 for password storage.

Why can't I store bcrypt hashes in a VARCHAR(32)?

A bcrypt hash is always exactly 60 characters. Use VARCHAR(60) or CHAR(60) in your database schema.

Can I use this for production systems?

This tool uses bcrypt.js (a well-tested pure JavaScript implementation) running entirely in your browser — suitable for generating test hashes and checking implementations. For production, use your server-side language's native bcrypt library.

Bcrypt Password Generator & Checker online

Generate bcrypt password hashes and verify them — runs entirely in your browser