Bcrypt Password Hasher
Hash passwords with bcrypt adaptive cost function or verify a plaintext password against a stored hash.
Bcrypt is a one-way hash: the original password cannot be recovered from the hash. Higher salt rounds increase security but take longer to compute.
Bcrypt is a password-hashing function designed to be deliberately slow: it applies a configurable cost factor that makes brute-force attacks computationally expensive, even as hardware gets faster. Security engineers and developers use bcrypt to hash passwords before storing them in a database, so that a data breach does not expose plaintext credentials. AlteredIdea's bcrypt tool hashes and verifies passwords entirely in your browser: no password or hash is ever sent to a server.
Why bcrypt is the standard for password storage
Bcrypt is an adaptive password hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike fast hash functions such as MD5 or SHA-256, bcrypt is intentionally slow: its cost factor (salt rounds) can be increased over time to keep pace with hardware improvements, making it resistant to brute-force and rainbow-table attacks even years after deployment.
This tool runs bcryptjs entirely in your browser tab. Your password never touches a server, a network socket, or any storage. The salt is randomly generated per hash, meaning the same password hashed twice will produce completely different outputs, preventing pre-computation attacks.
How to use: step by step
- 1Choose Hash or Verify mode
Select Hash to generate a bcrypt hash from a plaintext password, or Verify to check whether a password matches a stored hash. - 2Enter your password
Type or paste the password. Use the eye icon to toggle visibility. The field is never auto-completed. - 3Set salt rounds (hash mode)
Drag the slider between 4 and 12. The default of 10 balances security and speed. Higher rounds are exponentially slower but more resistant to cracking. - 4Click Hash Password
The bcryptjs library runs the Blowfish key schedule entirely in your browser tab: no server call is made. - 5Copy the hash or check the result
In hash mode, copy the $2b$ hash string. In verify mode, a clear match/no-match result is shown instantly.
Related Tools
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. All hashes shown simultaneously with one-click copy.
HMAC Generator
Generate HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication codes with a secret key.
Password Strength
Analyze password entropy, character composition, and estimated crack time across different attack scenarios.
AES Encrypt / Decrypt
Encrypt and decrypt text with AES-256-GCM. Password-derived key via PBKDF2. Output includes salt and IV: fully self-contained.
Frequently Asked Questions
- Is bcrypt hashing done server-side?
- No. This tool uses the bcryptjs library, which is a pure-JavaScript implementation that runs entirely in your browser. Your password is never transmitted.
- What salt rounds should I use?
- OWASP recommends a cost factor of 10 or higher for production use. Increase it as hardware improves. A round of 12 is a good modern choice for most applications.
- Why does bcrypt take longer with higher salt rounds?
- Bcrypt is deliberately slow. Each additional round doubles the computation time, making offline brute-force attacks proportionally harder.
- Can I recover the original password from a bcrypt hash?
- No. Bcrypt is a one-way function. The only way to check a password is to hash the candidate with the embedded salt and compare.
- What is the maximum password length for bcrypt?
- Bcrypt truncates input at 72 bytes. For passwords longer than 72 bytes, consider pre-hashing with SHA-256 before bcrypt.
- What does the $2b$ prefix mean?
- It denotes the bcrypt algorithm version. $2b$ is the current canonical version. Older hashes may start with $2a$ or $2y$.
- Can I use this hash in a database?
- Yes. The $2b$ output is a standard bcrypt hash string that works with bcrypt libraries in Node.js, PHP, Python, Go, and most other languages.
- Is bcrypt still recommended?
- Yes for most applications. Argon2id is the newer OWASP first choice, but bcrypt with a cost of 10–12 remains widely accepted and secure.
- How do I store a bcrypt hash in a database?
- Store the full $2b$ hash string as a VARCHAR(60) column. It is exactly 60 characters long and contains the algorithm version, cost factor, salt, and hash all in one string. Never store the plaintext password or a separate salt column: bcrypt embeds everything needed for verification in the hash itself.
- Why does the same password produce a different hash each time?
- Bcrypt generates a new random 128-bit salt for every hash operation. The salt is embedded in the output string, which is why two hashes of the same password look completely different. This prevents pre-computation attacks such as rainbow tables.
AlteredIdea vs alternatives
vs online hashing sites: Many send your data to a server to hash it. AlteredIdea runs all cryptographic operations in your browser using the Web Crypto API: your sensitive data never leaves your device.
vs openssl / command line: No terminal, no setup. Just paste and get results instantly.
vs library code: No coding required. Instant visual output with copy-to-clipboard.