bcrypt Generator
bcrypt Generator creates a salted bcrypt hash from any password or text, with a cost factor you control. bcrypt is the go-to algorithm for storing passwords because it is deliberately slow and embeds a random salt in every hash.
Hashing runs in your browser on a button click — never as you type — because higher cost factors are intentionally CPU-intensive. Your input is never sent anywhere.
Higher cost = exponentially slower = more resistant to brute force. A cost of 10 means 2^10 key-expansion iterations. 10–12 is a good modern default.
How to use bcrypt Generator
- 1
Enter the text
Type the password or string you want to hash into the input field.
- 2
Choose a cost factor
Use the slider to pick a cost (rounds) from 4 to 14. Each step doubles the work; 10–12 is a sensible modern default.
- 3
Generate and copy
Click Generate hash to produce a $2a$ bcrypt hash, then copy it. Generating again yields a different hash thanks to a fresh random salt.
How bcrypt works: salt and cost factor
bcrypt is a password-hashing function based on the Blowfish cipher. Before hashing it generates a random salt and mixes it in, so two users with the same password get completely different hashes and precomputed rainbow tables are useless.
The cost factor (also called rounds or work factor) controls how many key-expansion iterations bcrypt performs: the algorithm runs 2^cost times. Increasing the cost by one doubles the time it takes to hash and to attack, letting you keep pace with faster hardware over the years.
Reading the $2a$ hash format
A bcrypt hash looks like $2a$10$N9qo8uLOickgx2ZMRZoMy.... The $2a$ identifies the bcrypt variant, 10 is the cost factor, and the next 22 characters are the encoded 128-bit salt. The remaining characters are the actual hash. Because the salt and cost are stored inside the string, no extra fields are needed to verify a password later.
Every generation produces a new hash because the salt is random — this is by design, not a bug. Use the bcrypt Compare tool (or bcrypt.compare in your backend) to check a password against a stored hash; never compare hash strings directly.
Why bcrypt for passwords
Fast hashes like MD5, SHA-1 and even SHA-256 are the wrong tool for passwords: an attacker with a leaked database can try billions of guesses per second. bcrypt is deliberately slow and tunable, dramatically reducing how many passwords can be tested.
Higher cost means slower and more secure, but also more load on your servers at login time, so choose a value that keeps verification comfortably under a fraction of a second on your hardware — commonly 10 to 12.
Frequently asked questions
- Why does the hash change every time I click Generate?
- Because bcrypt generates a new random salt each time. Different salts produce different hashes for the same password — this is expected and makes the stored hashes safe.
- What cost factor should I use?
- 10 to 12 is a good modern default. Higher is more secure but slower. Pick the highest value that still keeps login verification fast enough for your servers.
- Is my password sent to a server?
- No. bcrypt hashing runs entirely in your browser using bcryptjs, so the text never leaves your device.
Last updated: