Bcrypt Hash & Verify
A free bcrypt hash generator online — adjustable work factor and password verification, all in your browser.
Hash a password
Verify a password
What is bcrypt?
Bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. Unlike general-purpose hashes such as SHA-256 or MD5 — which are designed to be fast — bcrypt is deliberately slow, salted, and tunable, which is exactly what password hashing online needs. Each bcrypt hash is a self-contained 60-character string that embeds the algorithm version, cost factor, 128-bit random salt, and the resulting digest, so a database column only needs to store one value per user.
Bcrypt work factor — what to pick
The bcrypt work factor (also called the cost) controls how expensive one hash is: each step up doubles the work. A cost of 10 was the historical default; modern guidance is the highest value your server can absorb in roughly 100–300 ms per login. On current hardware that's usually 11–13 — pick 14 for very high-value accounts if you can afford the latency. The cost is stored inside the hash, so you can transparently re-hash on next login as hardware gets faster.
Bcrypt vs Argon2
Both are correct choices for password hashing in 2025. Bcrypt is older, ubiquitous, and battle-tested — it has libraries everywhere and ships with most web frameworks by default. Argon2idis the current OWASP recommendation for new systems: it adds memory-hardness, which makes GPU and ASIC attacks meaningfully more expensive than they are against bcrypt. Use Argon2id when you're building from scratch and your runtime supports it; stick with bcrypt when you need broad library support or are working in an existing system that already uses it. Either is fine — what matters is that you are not using a fast hash like SHA-256 or MD5 for passwords.