Bcrypt Generator — Hash & Verify Passwords _

What is bcrypt?

Bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher. Unlike fast digests such as MD5 or SHA-256, bcrypt is deliberately slow and computationally expensive — this makes brute-force attacks against stolen password hashes impractical. Bcrypt automatically generates a random salt per password, so identical passwords produce different hashes.

How does bcrypt work?

The bcrypt algorithm runs entirely in your browser. Here's what happens step by step:

1. Your password is encoded as UTF-8 bytes and fed into the bcrypt key schedule, which initialises the Blowfish cipher's 4,184-byte P-array and S-boxes using the password and salt.
2. A random 128-bit salt is generated. The salt is mixed into the key schedule so that every unique salt produces a completely different hash even for the same password.
3. The key schedule is run for 2^cost rounds (e.g., 2^10 = 1,024 iterations at cost 10). Each iteration re-encrypts the salt and P-array entries, making the computation slower as the cost goes up.
4. The final output is a 60-character string in the format $2b$<cost>$<salt><hash>, where cost is zero-padded (e.g., 10), salt is 22 Base64 characters, and hash is 31 Base64 characters.
5. For verification, the same algorithm runs again with the candidate password and the salt taken from the stored hash. If the derived hash matches the stored one, the password is correct.

Which cost factor should I use?

The cost factor is the logarithm of the iteration count — cost 10 means 2^10 = 1,024 rounds, cost 12 means 4,096 rounds. Choose based on your security needs and hardware:

• Cost 4-6 (16-64 rounds) — only for development and testing. Too fast for production use; provides minimal protection.
• Cost 8 (256 rounds) — bare minimum for non-critical applications. Around 6ms on modern hardware.
• Cost 10 (1,024 rounds) — current recommended baseline. Takes about 25ms. Good for most web applications.
• Cost 12 (4,096 rounds) — recommended for admin portals, financial systems, and high-security apps. Takes about 100ms.
• Cost 14 (16,384 rounds) — high security. Takes about 400ms. Use for master passwords, encryption keys, or whenever login latency is acceptable.

Why use this bcrypt generator?

• Your privacy is protected — every password is hashed locally in your browser, and no data ever leaves your device.
• You get both modes side by side: generate new hashes or verify existing ones without switching pages.
• The cost factor is adjustable from 4 (fast) to 15 (very slow), so you can match your application's security needs.
• Hashes use the standard $2b$ format that works with every major language and framework.

What are common applications of bcrypt?

Bcrypt is widely used for password storage and verification across the industry:

• Web application authentication — storing user password hashes in databases so plaintext passwords are never saved.
• API key hashing — hashing API secrets before storing them, so a database breach doesn't leak valid credentials.
• Migration auditing — checking that legacy password hashes from an older system still authenticate users after upgrading the auth layer.

What does a bcrypt hash look like?

Hashing the password hunter2 with cost factor 10 produces a string like $2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy. The format breaks down as: $2b$ (algorithm version), 10 (cost factor), $, then 22 characters of salt and 31 characters of hash, all Base64-encoded. Each run with the same password produces a different hash because of the random salt.

This bcrypt generator runs entirely in your browser using a pure-JavaScript implementation. Hash passwords before storing them, verify existing hashes, and tune the cost factor to match your security requirements — all without sending a single byte to a server.