Bcrypt Password Hasher — Entropy · Crack Time · Cost Factor
Adjustable cost factor · Password strength meter · Benchmark · Verify mode · Code snippets · 100% browser-side
Enter a password and click Generate
bcrypt · Adjustable cost factor · Random salt · One-way hash
Hash passwords with bcrypt and instantly see how strong they are. The strength meter shows entropy in bits and estimated crack time at 10 billion guesses per second (modern GPU). Combine a strong password with bcrypt cost 12 for maximum protection.
What is Bcrypt?
Bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike general-purpose hash functions (MD5, SHA-256), bcrypt is intentionally computationally expensive. It uses a configurable cost factor to ensure hashing always takes a significant amount of time — making brute-force and dictionary attacks impractical even with modern GPU hardware.
Choosing the Right Cost Factor
The cost factor (work factor) controls how slow bcrypt is. Cost 12 means 2^12 = 4,096 internal rounds. Each increment doubles the time. The OWASP recommendation is to target 100–300ms hashing time on your production server. Cost 12 is typically right for modern hardware — run the benchmark to find the right value for your specific server.
Frequently Asked Questions
What is password entropy?
Entropy measures unpredictability in bits. A pool of 94 printable ASCII characters gives log2(94) ≈ 6.6 bits per character. A 12-character random password has ~79 bits — considered very strong.
How is crack time calculated?
Crack time = 2^entropy / guesses_per_second. At 10 billion MD5/sec (modern GPU), 28 bits takes under 1 second. The same password through bcrypt cost 12 reduces that GPU to ~100 guesses/sec, making cracking years longer.
Does password strength matter if I use bcrypt?
Yes, both matter. Bcrypt slows attackers enormously, but a very weak password (under 20 bits) can still be cracked with targeted dictionary attacks. Use both: a strong password AND bcrypt.
What makes a strong password?
Length matters most. A 16-character random alphanumeric password (~95 bits) is stronger than a 10-character password with symbols. Use at least 12 characters with uppercase, lowercase, numbers, and symbols.
Should I show a strength meter to users?
Yes. Real-time strength feedback significantly improves user password choices. Show entropy or a simple Weak/Fair/Strong/Very Strong indicator. Enforce a minimum strength rather than arbitrary rules like "must include special character".