Bcrypt Tester

Password Hash Generator & Verifier

Generate secure bcrypt hashes and verify password authentication. Perfect for testing login systems and understanding bcrypt cost rounds.

How to Use

Choose Mode
Select 'Verify' to check if a password matches a hash, or 'Generate' to create a new bcrypt hash
Enter Password
Input the plaintext password and hash (for verification) or just password (for generation)
Get Result
Click the button to verify match or generate hash. Adjust cost rounds for generation (10 recommended)

All hashing and verification happens in your browser using bcrypt.js. No passwords are sent to servers.

bcryptテスター

Test if a plaintext password matches a bcrypt hash. Useful for debugging authentication issues.

Plaintext Password

Bcrypt Hash

Create a secure bcrypt hash from a plaintext password. Higher cost = more secure but slower.

Plaintext Password

Cost Rounds

Higher cost = exponentially slower but more secure against brute-force attacks

Use Cases

Test Login Systems

Verify that your authentication code correctly hashes and compares passwords before deploying to production

Debug Authentication Issues

Check if login failures are caused by incorrect password comparison or hash generation bugs

Understand Cost Rounds

Experiment with different cost rounds (8, 10, 12) to balance security and performance for your application

Password Migration

Generate bcrypt hashes when migrating from less secure hashing algorithms (MD5, SHA-1) to bcrypt

Security Audits

Test password strength and verify that your system uses appropriate bcrypt cost rounds (minimum 10)

Learning & Education

Understand how bcrypt works, why it's secure, and how cost rounds affect computation time

What is Bcrypt?

Bcrypt is a password hashing function designed to be slow and computationally expensive, making it resistant to brute-force attacks. It's the industry standard for securely storing passwords.

How Bcrypt Works

Bcrypt uses the Blowfish cipher with a salt and cost factor. The cost factor (rounds) determines how many iterations the algorithm performs - each increment doubles the computation time, making attacks exponentially harder.

Why Use Bcrypt?

Unlike MD5/SHA which are fast (bad for passwords), bcrypt is intentionally slow. This makes brute-force attacks impractical. A cost of 10 means 2^10 (1,024) iterations, taking ~100ms to hash - negligible for login but devastating for attackers trying billions of passwords.

Security Best Practices

Use a cost of 10-12 for most applications. Cost 10 is the current minimum recommended. Never use MD5 or SHA-1 for passwords - they're broken. Never store plaintext passwords. Always use bcrypt, Argon2, or scrypt for password hashing.

Frequently Asked Questions

What cost rounds should I use?

Use cost 10 as the minimum (current standard). Cost 12 is better for high-security applications. Cost 8 is too weak for modern attacks. Each increment doubles computation time, so test performance on your server before choosing.

Can I verify bcrypt hashes without the secret key?

Yes! Bcrypt doesn't use a secret key - it uses a salt that's embedded in the hash itself. You only need the plaintext password and the hash to verify. This is different from HMAC.

Why does verification take so long?

That's the point! Bcrypt is intentionally slow to prevent brute-force attacks. If it takes 100ms for you to verify one password, it would take attackers years to try billions of passwords.

What's the format of a bcrypt hash?

Bcrypt hashes look like: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy. Format: $algorithm$cost$salthash where algorithm is 2a/2b (bcrypt versions), cost is rounds, and salthash is the combined salt and hash.

Is bcrypt better than Argon2?

Argon2 is newer and theoretically better (won the Password Hashing Competition), but bcrypt is still excellent and more widely supported. Both are secure - use whichever your framework/library supports well.

Can I convert MD5/SHA hashes to bcrypt?

No, hashing is one-way - you can't convert. You must ask users to reset passwords or re-hash during their next login (double-hashing: bcrypt(md5(password)) temporarily, then bcrypt only after next login).

Does this tool store my passwords?

No! All hashing and verification happens in your browser using the bcrypt.js library. Nothing is sent to any server. You can verify this by disconnecting from the internet - it still works.

What's the difference between bcrypt.js and server-side bcrypt?

They produce identical hashes using the same algorithm. The only difference is speed - server-side (Node.js, PHP) may be faster. Both are secure and compatible.