January Sale - Secure Your Passwords
NordPass

Free Bcrypt Hash Generator

Generate bcrypt hashes for password storage testing, and verify existing hashes against a plaintext password. Configurable cost factor from 4 (fast) to 14 (slow but very secure). Runs entirely in your browser.

Higher cost = harder to crack, but slower to verify on every login. 10 is the modern default; 12 is for high-security systems.

Verify an existing hash

How bcrypt works

Bcrypt is built on the Blowfish cipher with an intentionally expensive key-setup phase. The cost factor controls how many rounds of key-setup are performed — each unit increase doubles the work. Even with modern GPUs, a single cost-12 bcrypt verification takes roughly 250ms, which is fine for a login form but prohibitively expensive at attack scale.

Reading a bcrypt hash

A bcrypt hash looks like $2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy and decomposes as:

  • $2b$ — version identifier (2b is current; 2a/2y are older variants)
  • 10$ — cost factor (10 rounds)
  • N9qo8uLOickgx2ZMRZoMye — 22-character salt
  • IjZAgcfl7p92ldGxad68LJZdL17lhWy — 31-character hash

Frequently asked questions

Bcrypt is a deliberately-slow password hashing function, designed in 1999 specifically to resist brute-force attacks on stolen password databases. Its cost parameter can be increased over time as CPUs get faster, future-proofing the hash.

10 is the modern default. 12 is appropriate for higher-security systems (admin passwords, financial). Each step doubles the time to hash, so 12 is 4× slower than 10. Pick the highest cost your login flow can tolerate — typically aim for ~200ms per hash on your production hardware.

Bcrypt incorporates a random 16-byte salt into every hash. The salt is stored inside the resulting string (the $2b$10$XXXXXX... part), so verification still works — but two identical passwords produce different hashes, defeating rainbow-table attacks.

Both are good. Argon2 is the newer winner of the Password Hashing Competition (2015) and resists GPU/ASIC attacks better. Bcrypt has wider library support and a longer track record. For new systems, prefer Argon2id if your stack supports it; otherwise bcrypt at cost 10+ is still excellent.

Yes. The hashing runs entirely in your browser using bcryptjs. The plaintext password is never sent to a server. Don't enter a real production password — generate test hashes only.

Related tools

NordVPN