ToolWox
Log inSign up

bcrypt Compare

bcrypt Compare verifies a plaintext password against an existing bcrypt hash and tells you clearly whether they match. It is the correct way to test a bcrypt hash — you cannot simply re-hash and compare strings, because every bcrypt hash uses a different random salt.

Everything runs in your browser, so neither the password nor the hash is transmitted anywhere.

Comparison is constant-time inside bcrypt and runs entirely in your browser. A bcrypt hash already contains its salt, so no extra input is needed.

How to use bcrypt Compare

  1. 1

    Enter the plaintext

    Type the original password or string you want to verify into the first field.

  2. 2

    Paste the bcrypt hash

    Paste the stored $2a$ (or $2b$/$2y$) bcrypt hash into the second field.

  3. 3

    Compare

    Click Compare to see a clear MATCH or NO MATCH result. The cost factor parsed from the hash is shown alongside.

Why you can't just re-hash and compare

bcrypt embeds a fresh random salt in every hash, so hashing the same password twice produces two different strings. A naive string comparison would therefore always fail.

Verification instead extracts the salt and cost factor stored inside the existing hash, re-runs bcrypt on the candidate password with those exact parameters, and checks whether the result matches. That is precisely what this tool — and bcrypt.compare in your backend — does.

Reading the result and the cost factor

A green MATCH badge means the plaintext is the correct password for that hash; a red NO MATCH means it is not. If the hash string is malformed or uses an unsupported format, the tool catches the error and tells you the hash is invalid rather than guessing.

The displayed cost (rounds) is parsed straight from the hash. It reflects the work factor that was used when the hash was created, which is useful for auditing whether stored hashes meet your current security policy.

Frequently asked questions

Why not just hash the password again and compare?
Because bcrypt uses a random salt per hash, re-hashing gives a different string every time. You must verify with bcrypt's compare function, which uses the salt embedded in the stored hash.
What if my hash is invalid?
The tool catches the error and shows a clear message instead of a result, so you know the hash string itself is malformed or unsupported.
Is anything sent to a server?
No. The comparison runs entirely in your browser with bcryptjs, so the password and hash stay on your device.

Last updated: