Bcrypt Generator

Bcrypt is a password hashing function designed for security over speed — intentionally slow to make brute-force attacks computationally expensive. It automatically includes a random salt to prevent rainbow table attacks and is the standard for storing passwords in web applications. Unlike MD5 or SHA-256, which are designed to be fast and can process billions of hashes per second on modern hardware, bcrypt's deliberate slowness makes it resistant to bulk password cracking.

This tool uses the bcryptjs library, running entirely in your browser. Your plain text password is never transmitted to any server — making it safe to use with real passwords during development or testing. You can generate new hashes and verify strings against existing hashes without any risk of interception.

1. Choose your mode — select "Hash" to generate a new bcrypt hash from a plain text string, or "Verify" to check whether a plain text string matches an existing hash.
2. Enter your plain text — type or paste the password or string you want to hash; it stays in your browser and is never transmitted anywhere.
3. Set the cost factor — choose a cost factor between 10 and 14; cost 10 is the minimum for production use, cost 12 is the current recommendation. Higher values add more protection at the cost of hash generation time.
4. Copy the hash — click copy to grab the bcrypt hash string, ready to store in your database or use in your test fixtures.

The cost factor (also called salt rounds or work factor) controls how computationally expensive bcrypt is to run. A cost of 10 means the algorithm performs 2¹⁰ = 1,024 iterations. A cost of 12 means 2¹² = 4,096 iterations — four times slower than cost 10. Each increment doubles the work, so cost 14 is 16× slower than cost 10. This exponential scaling is what allows bcrypt to remain secure as hardware gets faster over time — you simply increment the cost factor.

• Developers verifying their bcrypt implementation before deploying it — generate a hash here, then confirm your application verifies it correctly.
• Security engineers generating test hashes for development and staging environments, where a known plaintext/hash pair is needed for fixtures or seed data.
• Anyone learning how password hashing works and wanting to see how the cost factor and salt affect the output string in practice.

• Privacy — plain text runs through bcryptjs entirely in your browser and is never transmitted anywhere; this is one of the strongest privacy guarantees on the site.
• Free — no account, no subscription, no rate limiting.
• No account required — generate and verify hashes immediately with no setup.
• Adjustable cost factor — test cost factors from 10 to 14 to understand the performance trade-off before choosing a value for your application's hardware.

Generating a test hash to seed a development database with a known password. Verifying that a password your application is hashing matches the expected bcrypt format before deploying to production. Comparing hash generation time at different cost factors to find the right balance for your server's hardware — aim for under 250ms per hash on your login endpoint. Teaching a team or class how bcrypt salting and key stretching work by showing the same password producing different hashes on each run.