utilAZ Logo

Bcrypt Password Hash Generator

Generate secure bcrypt password hashes with customizable salt rounds

Generate Bcrypt Hash

Fast (4)Balanced (12)Secure (20)
Security Level: Strong - Excellent security

Verify Password

Enter password and hash to verify automatically

Bcrypt Security Tips

  • Salt Rounds: Use 10-12 rounds for most applications, 12-15 for high-security
  • Performance: Higher rounds = more secure but slower (test on your hardware)
  • Future-Proof: You can increase rounds over time as hardware improves
  • Never Store: Never store plain text passwords, always hash them
  • Unique Salts: Bcrypt automatically generates unique salts for each hash

About Bcrypt Password Hashing

Bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher. It's specifically designed to be slow and computationally expensive, making it resistant to brute-force attacks and ideal for secure password storage.

  • Adaptive hashing function with configurable work factor
  • Built-in salt generation for each password
  • Time-tested and widely adopted in production systems
  • Resistant to rainbow table and brute-force attacks
  • Future-proof with adjustable computational cost

Bcrypt Security Features

Security Benefits

  • Adaptive Cost: Adjustable work factor (salt rounds)
  • Built-in Salt: Automatic unique salt for each hash
  • Time Delay: Intentionally slow to prevent brute force
  • Future Proof: Increase cost as hardware improves
  • Battle Tested: Used by major platforms worldwide

Technical Aspects

  • Algorithm: Based on Blowfish encryption
  • Output Length: 60 character hash string
  • Salt Rounds: 4-31 (recommended: 10-12)
  • Format: $2a$rounds$salt+hash
  • Verification: Compare plaintext to stored hash

Frequently Asked Questions

How to generate bcrypt password hash?

Enter your plaintext password in the utilAZ bcrypt generator, select a cost factor (default 10), and click Generate. The tool runs the Blowfish-based key derivation with a random 128-bit salt and outputs a 60-character hash string starting with $2b$. The entire process runs client-side so your password never leaves the browser.

What is bcrypt hash format?

A bcrypt hash is 60 characters: $2b$CC$SSSSSSSSSSSSSSSSSSSSSSHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH where $2b$ is the algorithm version, CC is the two-digit cost factor, the next 22 characters are the Base64-encoded salt, and the final 31 characters are the Base64-encoded hash digest.

How to choose the bcrypt cost factor?

Choose a cost factor so hashing takes 250-500 ms on your production hardware. Cost 10 is the minimum recommended today (~65 ms on modern CPUs). Cost 12 gives ~260 ms. Increase by 1 every 18 months as hardware gets faster. For admin accounts consider cost 14+.

Bcrypt vs sha256 which is better?

Bcrypt is far better for password storage. SHA-256 computes billions of hashes per second on a GPU, enabling fast brute-force attacks. Bcrypt is intentionally slow, memory-hard, and includes a built-in salt. SHA-256 is appropriate for data integrity checks, not password hashing.

How to verify bcrypt hash?

Paste the stored hash and the candidate password into the Verify tab. The tool extracts the cost factor and salt from the hash, re-hashes the candidate with the same parameters, and compares the results in constant time. A match confirms the password is correct without ever decrypting the hash.

Why is bcrypt secure for passwords?

Bcrypt is secure because it is intentionally slow (adjustable via cost factor), includes a unique 128-bit salt per hash to prevent rainbow tables, uses the Eksblowfish cipher that resists GPU parallelism, and its cost can be increased over time as hardware improves without invalidating existing hashes.

Bcrypt Hash Examples

Hash Structure:

Bcrypt Hash Format:
$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
$2a$ - Algorithm identifier
12$ - Cost factor (salt rounds)
R9h/cIPz0gi.URNNX3kh2O - 22-char salt
PST9/PgBkqquzi.Ss7KIUgO2t0jWMUW - 31-char hash

Salt Rounds Comparison:

Salt Rounds: 10
Time: ~65ms
Security: Good for most apps
Use: Standard web applications
Salt Rounds: 12
Time: ~250ms
Security: High security
Use: Recommended default
Salt Rounds: 15
Time: ~2000ms
Security: Maximum security
Use: High-value accounts

Bcrypt Implementation

Here's how to use bcrypt in popular languages and frameworks:

Node.js (bcryptjs):

const bcrypt = require('bcryptjs'); // Generate hash const saltRounds = 12; const hash = await bcrypt.hash('myPassword', saltRounds); // Verify password const isMatch = await bcrypt.compare('myPassword', hash); console.log(isMatch); // true

Python:

import bcrypt # Generate hash password = b'myPassword' salt = bcrypt.gensalt(rounds=12) hashed = bcrypt.hashpw(password, salt) # Verify password is_valid = bcrypt.checkpw(b'myPassword', hashed) # True

PHP:

// Generate hash $hash = password_hash('myPassword', PASSWORD_BCRYPT, ['cost' => 12]); // Verify password $isValid = password_verify('myPassword', $hash); // true

Bcrypt Best Practices

  • Choose Appropriate Rounds: Start with 12 rounds, adjust based on performance needs
  • Monitor Performance: Hash time should be 250-500ms on your hardware
  • Plan for Migration: Implement system to upgrade rounds over time
  • Use Proper Libraries: Use established bcrypt libraries, not custom implementations
  • Secure Password Input: Always validate and sanitize password input
  • Constant Time Comparison: Use timing-safe comparison for verification
  • Store Safely: Protect hash storage with database security measures

Common Use Cases

  • User authentication systems
  • Web application login security
  • API authentication backends
  • Password management systems
  • Multi-factor authentication setup
  • Enterprise security applications
  • Mobile app user accounts
  • Database security implementations