Hash passwords or verify them against a bcrypt hash. Runs entirely in your browser.
Select Hash Password or Verify Password mode. In Hash mode, enter a password, set the cost rounds (4–14; OWASP recommends 10–12), and click Hash. The tool calls bcrypt.hash() from the bcryptjs library entirely in your browser — no data is sent to any server. The resulting hash embeds the salt and cost factor so it can be stored directly in a database. In Verify mode, enter the original password and the stored bcrypt hash and click Verify to confirm whether they match.
bcrypt is a password hashing function designed in 1999 to be intentionally slow. Its cost factor makes brute-force attacks computationally expensive. It also salts hashes automatically, making rainbow table attacks infeasible.
The cost factor is an exponent: bcrypt performs 2^cost iterations. Cost 10 = 1,024 iterations; cost 12 = 4,096. The OWASP recommendation is cost 10 minimum, cost 12 preferred for new systems. Higher cost = slower hashing but better brute-force resistance.
Yes. bcrypt generates a random 128-bit salt per hash and embeds it in the output string. The same password hashed twice produces two different strings — both verify correctly against the original password.
No. MD5 and SHA-1 are fast general-purpose hash functions — attackers can compute billions per second on commodity hardware. Use bcrypt, scrypt, or Argon2 instead; they are designed to be slow and memory-hard.
More free tools