bcrypt is a password hashing algorithm designed to be computationally expensive. It includes a random salt and an adjustable cost factor to remain secure as hardware improves.

What is the cost factor?

The cost factor (work factor) determines how many rounds of processing are done. Each increment doubles the computation time. Cost 12 means 2^12 = 4096 iterations.

Intentional slowness is a security feature. It makes brute-force attacks impractical — what takes an attacker billions of attempts becomes computationally infeasible.

What is the $2b$ prefix in a hash?

$2b$ identifies the bcrypt algorithm version. $2b$12$ means version 2b with cost factor 12. The following 22 characters are the salt, and the rest is the hash.

bcrypt Tester — Hash & Verify Passwords

What is bcrypt?

bcrypt is the industry-standard algorithm for hashing passwords. Unlike general-purpose hash functions (MD5, SHA), bcrypt is intentionally slow and includes a random salt, making it extremely resistant to brute-force attacks and rainbow tables.

A bcrypt hash looks like: $2b$12$KIXpLB0hJk8fJO2swYpNlOkVRuQV5oUWmX7QHH8lhz0ULhLAG7KNO

How to Use It

Open the tool

Go to Encode / Decode and scroll to the bcrypt Tester section.

Hash a password

Enter the plaintext password, set the cost factor (12 recommended), and click Hash. Copy the resulting hash string.

Verify a hash

Switch to Verify mode, enter the plaintext password and the bcrypt hash. Click Verify to see if they match.

Use in your application

Store the bcrypt hash (not the plaintext) in your database. On login, use bcrypt's compare function to verify the password.

Cost Factor Guide

The cost factor determines how many iterations bcrypt performs. Each increment doubles the work. Higher values provide better security but take more time to compute:

Cost 10 — Fast (≈100ms). Minimum for most applications. Cost 12 — Recommended (≈300ms). Good balance for 2024. Cost 14 — Strong (≈1200ms). Use for highly sensitive accounts. Never go below 10 in production.

Pro Tips

💡bcrypt hashes include the salt — you don't need to store the salt separately. The full hash string is everything you need to store in the database.

💡Two hashes of the same password will be different each time (different random salts). This is correct behaviour — verify using bcrypt's compare, not string equality.

💡bcrypt truncates passwords at 72 bytes. For longer passwords, pre-hash with SHA-256 first (or use Argon2 which has no length limit).

Frequently Asked Questions

Why not use SHA-256 for passwords?

SHA-256 is too fast — an attacker can compute billions of SHA-256 hashes per second on a GPU. bcrypt is designed to be slow, making brute-force attacks computationally infeasible.

What does the hash prefix mean?

$2b$12$ means: bcrypt version 2b, cost factor 12. The following 22 characters are the random salt, and the remaining characters are the hash.

Do I need to store the salt separately?

No — the salt is embedded in the hash string. Store the entire hash string in your database and use bcrypt's compare function to verify passwords.

Is my password sent anywhere?

No — all hashing happens in your browser using JavaScript. Your password never leaves your machine.

Test bcrypt now

Open the bcrypt Tester and hash or verify passwords instantly — no login, no server required.

Open bcrypt Tester →