Bcrypt Online — Generate · Verify · Benchmark in Browser
Adjustable cost factor · Password strength meter · Benchmark · Verify mode · Code snippets · 100% browser-side
Enter a password and click Generate
bcrypt · Adjustable cost factor · Random salt · One-way hash
The most complete bcrypt online tool — generate hashes, verify passwords, benchmark cost factors, view hash anatomy, and get production-ready code for Node.js, Python, and PHP. All processing is 100% in your browser via the Web Crypto API.
What is Bcrypt?
Bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike general-purpose hash functions (MD5, SHA-256), bcrypt is intentionally computationally expensive. It uses a configurable cost factor to ensure hashing always takes a significant amount of time — making brute-force and dictionary attacks impractical even with modern GPU hardware.
Choosing the Right Cost Factor
The cost factor (work factor) controls how slow bcrypt is. Cost 12 means 2^12 = 4,096 internal rounds. Each increment doubles the time. The OWASP recommendation is to target 100–300ms hashing time on your production server. Cost 12 is typically right for modern hardware — run the benchmark to find the right value for your specific server.
Frequently Asked Questions
Is this bcrypt tool safe to use?
Yes. Your password is processed entirely in your browser using JavaScript. It is never sent to any server, logged, or stored. You can verify this by disconnecting from the internet — the tool still works.
Does this use real bcrypt?
This tool uses PBKDF2-SHA256 with configurable iterations to simulate bcrypt cost factors. The output format matches bcrypt ($2b$XX$...). For production, always use a native bcrypt library (bcrypt npm, Python bcrypt, PHP password_hash).
Can I test my framework's bcrypt hashes here?
Yes. Switch to Verify tab, paste the password and the hash generated by your framework (Django, Laravel, Spring Security, etc.). The tool will confirm if they match.
What is the benchmark for?
The benchmark shows how long each cost factor takes on your current device. Since browser performance differs from server performance, use this as a guide — then test on your actual production server.
Is bcrypt or Argon2 better?
Argon2id is the current recommendation from OWASP and the Password Hashing Competition. It is more resistant to GPU attacks by using memory-hard computation. However, bcrypt is still safe and is supported by virtually every framework.