Bcrypt Password Hasher
Generate a bcrypt hash from a password or verify a password against an existing hash.
Hashing and verification run entirely in your browser. Nothing you type is uploaded.
How to use this tool
To create a hash, stay on the "Hash a password" tab, type the password you want to protect, and pick a cost factor with the slider. A higher cost makes the hash slower to compute, which makes brute-force attacks harder but also takes longer in your browser. Click "Generate hash" and the bcrypt string appears below; use "Copy hash" to grab it. To check a password against a stored hash, switch to the "Verify a hash" tab, paste the bcrypt hash, type the password, and click "Verify match" to see whether they correspond.
How bcrypt works
Bcrypt is a password hashing function built on the Blowfish cipher. It folds a random salt into every hash, so the same password produces a different output each time, which defeats precomputed rainbow tables. The cost factor sets how many key-setup rounds run (2 raised to the cost), making the function deliberately slow. As hardware gets faster, you raise the cost to keep brute-forcing expensive. The final string packs the algorithm version, the cost, the salt, and the checksum together, so a verifier needs only the hash and the candidate password.
A real example
Suppose you hash the password "correct horse" at cost factor 10. The tool runs 2^10, or 1,024, key-setup rounds and returns something like $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy. Hash the same password again and you get a completely different string because a new random salt is used, yet both verify correctly against "correct horse". Paste either hash into the verify tab with the wrong password and the result reads "No match".
Common questions
Is this bcrypt generator really client-side?
Yes. The page loads the open-source bcryptjs library and runs every hash and verification in your browser using JavaScript. No password or hash is ever sent to a server.
What cost factor should I choose?
A cost of 10 to 12 is a common, sensible default for most applications in 2026. Higher values are more secure but slower. Pick the highest value your servers can handle without noticeably slowing logins.
Why does the same password give a different hash each time?
Bcrypt mixes a fresh random salt into every hash. The salt is stored inside the output string, so two different hashes of one password both still verify correctly with this bcrypt verify checker.
Can I verify a hash made by another bcrypt library?
Usually yes. Bcrypt hashes that start with $2a$, $2b$, or $2y$ share the same format, so a hash from PHP, Python, or Node should verify here as long as the password is correct.
Is bcrypt a good choice for a secure hash generator?
For passwords, yes. Bcrypt is purpose-built to be slow and salted. For general data integrity you would use SHA-256 instead, but for storing login passwords a slow, salted hash like bcrypt is the right tool.
This tool is provided for educational and development use. Always follow your own organization's security policies when handling real user credentials.