EN
PT
ES
bcrypt Hash Generator & Verifier
Hash passwords with the industry-standard bcrypt and verify a plain password against any bcrypt hash. Adjustable cost.
What is bcrypt?
bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. It builds on the Blowfish cipher and is deliberately slow: a configurable cost factor controls how many key-setup rounds run before the hash is produced, so defenders can keep raising the cost as hardware speeds up. Each hash also embeds a 128-bit random salt, which means hashing the same password twice produces two different outputs and pre-computed rainbow tables are useless. The output looks like $2b$10$… where 2b is the algorithm version, 10 is the cost factor and the rest is the salt and hash. bcrypt remains the workhorse choice for password storage in 2026: simpler to use than Argon2, more battle-tested than scrypt, and supported in every major language.
How to use
To hash, type the password, pick a cost factor and click Generate hash. The output goes straight to your database. To verify, paste the hash from the database and type the candidate password, then click Verify. Bcrypt embeds the cost factor inside the hash, so you don’t pick it again on verify — the library reads it from the string.
Choosing a cost factor
Each cost step doubles the time. Pick the highest cost that keeps logins under ~250 ms on your hardware. For high-traffic logins on commodity servers, 10 (≈60 ms) is the modern minimum; 12 (≈250 ms) is a comfortable choice for sensitive accounts; 13–15 is justified for crown-jewel credentials but you must measure latency. Increase the cost when you upgrade the database — re-hash on the next login.
Cost factor reference (modern CPU, single thread)
| Cost | Iterations | Approx. time |
|---|---|---|
| 4 | 16 | ~1 ms |
| 8 | 256 | ~15 ms |
| 10 (default) | 1,024 | ~60 ms |
| 12 | 4,096 | ~250 ms |
| 13 | 8,192 | ~500 ms |
| 14 | 16,384 | ~1 s |
| 15 | 32,768 | ~2 s |