Any-Tools.net
Free Converter

Bcrypt Password Generator

Generate secure bcrypt password hashes instantly in your browser. Choose your cost factor and hash passwords client-side — completely private and free.

Related Tools

View all tools

WiFi Password QR Generator

Generate a QR code for your WiFi network so guests can connect instantly by scanning.

MD5 Hash Generator

Generate MD5 hashes from text or files instantly in your browser. Free, private, and no upload required.

SHA Hash Generator

Generate SHA-1, SHA-256, and SHA-512 hashes from text or files instantly in your browser. Uses the Web Crypto API — completely private and free.

UUID / GUID Generator

Generate UUID v4 (GUID) values instantly in your browser. Free, private, and client-side — no data sent to any server.

About bcrypt Password Hashing

bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999, derived from the Blowfish cipher. Unlike general-purpose hash functions like SHA-256, bcrypt is deliberately slow — and configurably slow, via a cost parameter — which is exactly the property a password hasher needs. A faster hash function lets attackers brute-force more candidates per second; a slower one limits them.

bcrypt also incorporates per-password salt automatically, eliminating an entire class of attacks based on precomputed rainbow tables. The salt and cost parameter are stored as part of the bcrypt output, so verification needs only the stored hash and the candidate password — no separate salt management. This combination of slowness, salt, and self-contained format made bcrypt the default password hash for two decades and a strong choice today.

Modern alternatives exist. Argon2 won the 2015 Password Hashing Competition and offers memory-hardness in addition to time-hardness. scrypt offers similar properties. For new designs, Argon2id is the recommended choice. bcrypt remains acceptable and widely deployed, particularly in environments where Argon2 is not available.

Why Hash Passwords with bcrypt

Storing passwords as plaintext is malpractice. Storing them with a fast hash like SHA-256 is barely better — modern GPUs compute billions of SHA-256 hashes per second, making brute-force attacks against any common password feasible in hours. bcrypt's deliberate slowness shifts the economics: at cost factor 12, an attacker spends roughly 250 ms per candidate password, making brute-force impractical for any non-trivial password.

bcrypt's automatic per-password salt also defeats rainbow table attacks. Two users with the same password produce different bcrypt hashes because their salts differ. Compromising the password database does not let an attacker quickly identify common passwords or precomputed-table hits.

How to Generate a bcrypt Hash

Type a password, choose cost, get the hash.

  1. Enter the password: Type the password to hash. The tool runs entirely in your browser; the password is not transmitted anywhere.
  2. Choose cost factor: Default is 10, producing approximately 100 ms hashing time on modern hardware. 12 is recommended for new applications (250 ms). Higher values increase security at the cost of slower verification.
  3. Generate: The hasher generates a random 16-byte salt, runs the bcrypt key derivation, and produces a hash in standard $2b$ format.
  4. Use the hash: Store the complete output ($2b$cost$saltAndHash) in your password database. Verification uses the same library to compare a candidate against the stored hash.

Common Use Cases

Technical Details

bcrypt uses a modified Blowfish cipher's key-setup phase, repeated 2^cost times. The cost factor is logarithmic — cost 12 is twice as slow as cost 11, four times as slow as cost 10. This logarithmic scaling lets administrators ratchet up the cost over time as hardware improves, without redesigning the system.

Output format is $version$cost$saltAndHash where saltAndHash is base64-encoded with a custom alphabet. The version is typically $2b$ (the modern variant with the wraparound bug fixed) or $2y$ (PHP-specific, equivalent). The salt is 16 bytes; the hash is 24 bytes; together they encode to 53 characters of custom-base64.

Maximum input length is 72 bytes (Blowfish key length limit). Longer passwords are silently truncated, which is a long-standing bcrypt quirk. Best practice is to either limit password length to 72 bytes or pre-hash with SHA-256 to normalize length before bcrypt.

Best Practices

Frequently Asked Questions

What cost factor should I use?
Cost 12 is recommended for new applications, producing approximately 250 ms hashing time on modern hardware. Cost 10 (about 60 ms) is acceptable for high-throughput systems. Cost 14+ becomes painful for users; reserve for high-security applications.
Why is bcrypt slow?
Deliberately. Hash speed limits attacker speed for brute-force searches. Cost factor controls the slowdown: each increment doubles the time.
Is bcrypt still recommended?
Yes for existing systems, with cost factor 12+. For new designs, Argon2id is the modern recommendation, but bcrypt remains acceptable and is more widely supported.
What's the maximum password length?
72 bytes (the Blowfish key length limit). Longer passwords are silently truncated. Best practice is to either enforce a 72-byte limit or pre-hash with SHA-256 before bcrypt.
Should I add my own salt?
No. bcrypt generates and stores a random salt automatically. Adding your own salt is unnecessary and can cause subtle bugs. Use the library's default salt generation.
Is the password sent to a server?
No. bcrypt hashing happens in your browser. The password never leaves your device.
Why are there $2a$, $2b$, $2y$ variants?
$2a$ is the original. $2b$ fixes a wraparound bug discovered in 2014. $2y$ is PHP-specific, functionally equivalent to $2b$. New systems should produce $2b$ hashes.
Can I downgrade a high-cost hash to a lower cost?
No. The hash includes the cost as part of the output and verification requires the same cost. To change cost, re-hash on next successful login.

Related Articles

Developer

Essential Developer Tools: JSON, Base64, RegEx, and More

A comprehensive overview of the developer utilities every programmer should know, from data format converters to encoding tools.

9 min readDeveloper & Security

Hashing, Encryption, and Encoding Explained: A Developer's Security Guide

Understand the differences between hashing, encryption, and encoding. Learn when to use MD5, SHA-256, Base64, AES, and other cryptographic tools in your applications.

10 min readData & Productivity

Spreadsheet & Data Conversion Guide: Excel, CSV, JSON, and More

Learn how to convert between spreadsheet and data formats like Excel, CSV, JSON, and XML. Practical tips for handling data migration, cleaning, and transformation.

10 min readPrivacy & Technology

Why Browser-Based Tools Are the Future: No Installs, No Uploads, No Risk

Discover why browser-based tools are replacing desktop software and cloud uploads. Learn how client-side processing keeps your files private while delivering powerful functionality.

7 min read