Bcrypt Generator and Verifier

How to use

1. 1Pick a tab: Generate hash to create a bcrypt hash, or Verify hash to test a password against an existing one.
2. 2To generate, type a password, drag the cost factor to the value you want (10 is a common default, higher is slower and stronger), and choose a prefix ($2b$ is recommended for new hashes).
3. 3Press Generate bcrypt hash. The full 60-character hash appears with a copy button, the cost and prefix used, and how long it took on your device.
4. 4To verify, switch to the Verify hash tab, paste the bcrypt hash, type the password to test, and press Verify password.
5. 5Read the result: a clear match or no-match message, plus the cost and prefix read from the hash. The cost and salt are taken from the hash, so you do not set them.
6. 6Use Show password to reveal what you typed, and Clear to reset every field. Everything runs locally and nothing is uploaded.

About this tool

Bcrypt Generator and Verifier does two jobs that developers reach for constantly: it turns a plaintext password into a bcrypt hash, and it checks whether a password matches a bcrypt hash you already have. Both run entirely in your browser. Bcrypt is the password hashing scheme built on the Blowfish cipher with an expensive key setup, and it is the default in Laravel, Symfony, Ruby on Rails (has_secure_password), Spring Security, many Node back ends, and the Apache htpasswd -B command, which is why so many people need to produce or test one of these hashes by hand. The first tab generates a hash. You type a password, choose a cost factor from 4 to 16, and pick a prefix: $2b$ is the current standard for new hashes, $2a$ is the widely supported legacy prefix that every library reads, and $2y$ is the PHP and crypt_blowfish form. The cost factor (also called the work factor or rounds) is the heart of bcrypt: it sets how many times the key schedule repeats, and because each step doubles the work, raising the cost by one makes the hash twice as slow to compute and twice as slow to brute force. Cost 10 is the common framework default and a solid baseline; 11 or 12 give a stronger margin on modern servers; values of 13 and above are deliberately slow and can take seconds even in a fast browser, so the tool warns you before it runs them and reports exactly how long the hash took on your machine, which is the honest way to choose a cost: pick the highest value your login latency budget can absorb. Every hash uses a fresh, cryptographically random 16-byte salt from crypto.getRandomValues, so the same password produces a different 60-character hash each time, and that is correct and expected behavior, not a bug. The second tab verifies a password. You paste an existing bcrypt hash and the password you want to test, and the tool reads the cost and salt straight out of the hash, recomputes the bcrypt digest, and compares the result, telling you clearly whether the password matches along with the prefix and cost the hash was made with. It also recognizes when a string is not a valid bcrypt hash and explains what a valid one looks like (a 60-character string starting with $2a$, $2b$, or $2y$ and a two-digit cost). One property worth knowing: bcrypt only uses the first 72 bytes of a password and silently ignores the rest, so the tool flags when your input is longer than that. The bcrypt implementation here is a dependency-free TypeScript port of the algorithm, verified against the canonical Openwall crypt_blowfish reference test vectors and the classic Eric Young Blowfish cipher vectors, so the hashes it produces are accepted by standard bcrypt libraries and the hashes those libraries produce verify here. A practical reminder: this tool is ideal for generating a hash to drop into a config file or seed script, for checking a hash during debugging, for teaching how cost factors trade speed for safety, and for producing the bcrypt entry that tools like htpasswd and Caddy expect. For hashing real user passwords at scale you would normally run bcrypt on your server rather than in a browser tab. Nothing you type here, neither the password nor the hash, is ever uploaded, logged, or stored.

Free to use. Works in your browser. No signup, no login.