Bcrypt Generator — Adjustable Cost Factor · Strength Meter · Verify
Adjustable cost factor · Password strength meter · Benchmark · Verify mode · Code snippets · 100% browser-side
Enter a password and click Generate
bcrypt · Adjustable cost factor · Random salt · One-way hash
Complete bcrypt tool — generate hashes with cost 8-18, see hash anatomy ($2b$12$salt+hash), check password strength with entropy bits and crack time, verify passwords against existing hashes, and run a benchmark to find the perfect cost factor for your server.
What is Bcrypt?
Bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike general-purpose hash functions (MD5, SHA-256), bcrypt is intentionally computationally expensive. It uses a configurable cost factor to ensure hashing always takes a significant amount of time — making brute-force and dictionary attacks impractical even with modern GPU hardware.
Choosing the Right Cost Factor
The cost factor (work factor) controls how slow bcrypt is. Cost 12 means 2^12 = 4,096 internal rounds. Each increment doubles the time. The OWASP recommendation is to target 100–300ms hashing time on your production server. Cost 12 is typically right for modern hardware — run the benchmark to find the right value for your specific server.
Frequently Asked Questions
What is the structure of a bcrypt hash?
A bcrypt hash has 60 characters: $2b$ (algorithm), two-digit cost factor, $ separator, 22-character Base64 salt, and 31-character Base64 hash. Example: $2b$12$[22 chars salt][31 chars hash].
What does the $2b$ prefix mean?
$2b$ is the bcrypt version identifier. $2a$ is an older version with a minor bug. $2y$ is used by PHP. All are functionally equivalent — most libraries accept all three.
How do I use bcrypt in Node.js?
Install bcrypt with npm install bcrypt. Use bcrypt.hash(password, costFactor) to hash and bcrypt.compare(password, hash) to verify. Always use the async versions to avoid blocking the event loop.
What is password entropy?
Entropy measures the unpredictability of a password in bits. A password with 60+ bits of entropy is considered strong. Entropy depends on password length and character set size: entropy = log2(poolSize^length).
How long does bcrypt take?
On a modern server, cost 10 takes ~10ms, cost 12 ~100ms, cost 14 ~400ms, cost 16 ~1.5 seconds. The browser may be slower than your server — always run the benchmark on your actual production hardware.