Bcrypt Verifier — Check Password Against Hash Instantly
Adjustable cost factor · Password strength meter · Benchmark · Verify mode · Code snippets · 100% browser-side
Enter a password and click Generate
bcrypt · Adjustable cost factor · Random salt · One-way hash
Verify any password against its bcrypt hash. Paste the plain password and the stored hash — get an instant ✅ Match or ❌ No Match result. Perfect for debugging authentication issues, testing hash libraries, and verifying database exports. 100% browser-side.
What is Bcrypt?
Bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike general-purpose hash functions (MD5, SHA-256), bcrypt is intentionally computationally expensive. It uses a configurable cost factor to ensure hashing always takes a significant amount of time — making brute-force and dictionary attacks impractical even with modern GPU hardware.
Choosing the Right Cost Factor
The cost factor (work factor) controls how slow bcrypt is. Cost 12 means 2^12 = 4,096 internal rounds. Each increment doubles the time. The OWASP recommendation is to target 100–300ms hashing time on your production server. Cost 12 is typically right for modern hardware — run the benchmark to find the right value for your specific server.
Frequently Asked Questions
Why does bcrypt verification take time?
Verification hashes the input password using the salt embedded in the stored hash, then compares. This intentional slowness is the security feature — it makes brute-force attacks impractical.
What if my verify returns false for the correct password?
Common causes: (1) Password was trimmed/modified before storage. (2) Hash was truncated in the database column (use VARCHAR(60) minimum). (3) Different bcrypt library versions. (4) Password has special characters that were encoded differently.
Is bcrypt comparison timing-safe?
Yes. Proper bcrypt implementations (like the bcrypt npm package) use constant-time comparison to prevent timing attacks where an attacker measures response time to determine partial matches.
Can I verify a PHP password_hash() result here?
Yes. PHP password_hash() with PASSWORD_BCRYPT produces standard bcrypt hashes ($2y$...). This tool accepts $2a$, $2b$, and $2y$ prefixes.
My hash starts with $2y$ not $2b$ — does it work?
$2y$ is the PHP-specific bcrypt identifier. It is functionally identical to $2b$. This verifier accepts both formats.