Password hashing · Client-side

bcrypt Text Hash Generator

Produce bcrypt password hashes with full control over the cost factor and salt handling. Run everything in the browser to keep sensitive values local. Need file support? Switch to thebcrypt file tool →

Text bcrypt hash

Generate bcrypt password hashes with configurable cost factors. Salts are generated automatically, and bcrypt only processes the first 72 bytes of the input.

Password or phrase

Current length: 0 characters

Cost factor (log rounds)

Higher costs slow down hashing but improve resistance to brute force attacks. Typical values range from 10 to 14.

bcrypt hash

Enter a password and click Generate to produce a bcrypt hash.

Hash validation

Enter a target hash to validate.

bcrypt overview

bcrypt is deliberately slow to hamper brute-force attacks. The cost factor controls how many rounds are run (specifically 2^cost iterations). Bumping the cost by 1 roughly doubles the runtime, so scale it to match the responsiveness you need on your deployment hardware.

Salts are fixed-size 16-byte values that must be random and unique per hash to defend against rainbow tables. The generated bcrypt hash already bundles both the salt and cost factor, so storing the hash alone is sufficient for later verification.

Why do we need random salts?

Random salts ensure that two users choosing the same password never share a hash. They defeat rainbow tables, undermine precomputed attack dictionaries, and stop attackers from spotting password reuse across accounts. Because the salt is embedded in the hash output, every run automatically produces a unique fingerprint even if the underlying password and log rounds stay unchanged.

How many rounds should I use?

12 rounds is a common production baseline. Raising the cost increases security but also processing time, so pick a value that balances user experience with your threat model—higher is better if your environment can tolerate the latency.

Is this tool secure?

All hashing happens locally in your browser using the bcryptjs library. No input data or generated hashes are transmitted or stored on any server.

Can I use this in production?

Treat this interface as a learning and testing aid. For production environments, integrate bcrypt directly into your application with a vetted server-side library so you can manage secrets, rate limiting, and audit trails properly.