Skip to content
Kordu Tools Kordu Tools

Bcrypt Hash Verifier

Runs in browser

Verify a password against a bcrypt hash instantly in your browser. Supports $2a$, $2b$, and $2y$ prefixes. Nothing is uploaded.

Last updated 02 Apr 2026

Paste a plaintext password and a bcrypt hash ($2a$, $2b$, or $2y$) to verify whether they match. The bcryptjs library runs entirely in your browser — neither your password nor the hash is ever transmitted to any server.

bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. It embeds a random salt and a cost factor, making brute-force attacks computationally expensive. Unlike MD5 or SHA-256, bcrypt hashes cannot be reversed via rainbow tables. Use it for all password storage. All verification runs entirely in your browser. Neither the password nor the hash is sent to any server.
Loading rating…

How to use

  1. 1

    Open the Verify tab

    Click the 'Verify' tab at the top of the widget — it is the default on this page.

  2. 2

    Enter the plaintext password

    Type or paste the password you want to verify in the password input field.

  3. 3

    Paste the bcrypt hash

    Paste the full bcrypt hash (starting with $2b$, $2a$, or $2y$ followed by the cost factor and 53-character string) into the hash field.

  4. 4

    Click Verify Hash

    Click the 'Verify Hash' button. Wait 1–5 seconds while bcryptjs re-hashes your password with the embedded salt.

  5. 5

    Read the result

    The result shows 'Match' in green if the password is correct, or 'No Match' in red if it is not.

Frequently asked questions

How does bcrypt verification work?
A bcrypt hash embeds the random salt used to generate it. The verifier extracts this salt, re-hashes the provided password using that exact salt, and checks whether the result matches the stored hash. That is why the same password produces a different hash every time but still verifies correctly against each one.
Is this tool safe to use with real passwords?
Yes. All computation runs in your browser using the bcryptjs library. Neither the password nor the hash is transmitted to any server. The tool has no logging and no analytics that capture input values.
Are my inputs sent to a server?
No. Both the password and the hash stay entirely in your browser's memory. bcryptjs is a pure-JavaScript bcrypt implementation that runs client-side with no network requests.
Why does verification take so long?
Bcrypt is intentionally slow. The cost factor (e.g. 10 = 2¹⁰ = 1,024 iterations; 12 = 2¹² = 4,096) controls how long each verification takes. This makes brute-force password guessing infeasible — an attacker testing millions of candidates faces the same delay per guess.
What bcrypt hash formats are supported?
This tool supports $2b$ (current standard), $2a$ (original 1999 spec, still valid), and $2y$ (PHP-specific variant, functionally identical to $2b$). All three verify correctly against hashes generated by any compliant bcrypt library.
Can bcrypt be reversed or cracked?
Not in practice. Each bcrypt hash includes a unique random salt, making precomputed rainbow tables useless. Brute-force attacks are also impractical because each guess requires a full bcrypt computation at the stored cost factor — typically 3–10 guesses per second on a modern CPU at cost 10.
What if the hash I paste is invalid?
The tool validates the hash format before attempting verification. If the hash does not start with $2a$, $2b$, or $2y$ and contain valid structure, an error message is shown rather than attempting verification.
Why would verification fail for a password I believe is correct?
Common causes: leading or trailing whitespace in the password, the application transforms or trims the password before hashing, a different password was hashed, or the hash string is truncated. Re-paste both values carefully and ensure the full hash is included.
What is the difference between bcrypt and SHA-256 for passwords?
SHA-256 is a fast general-purpose hash — an attacker can test billions of SHA-256 guesses per second with modern GPUs. Bcrypt is specifically designed for passwords: it is slow by design, includes automatic salting, and has a tunable cost factor. Never use SHA-256 for password storage.
When should I use this tool vs the Bcrypt Generator?
Use the Bcrypt Generator to produce a new bcrypt hash from a plaintext password. Use this Bcrypt Checker when you already have a stored hash and want to confirm whether a given password matches it — for example, when debugging a login system.

Verify whether a plaintext password matches a stored bcrypt hash, entirely

in your browser using the bcryptjs library.

**How bcrypt verification works:** A bcrypt hash encodes the random salt used

during generation directly in the hash string. The verifier extracts this salt,

re-hashes your password with it, and compares the result byte-for-byte against

the stored hash. Match or no match — no server required.

**Use cases:**

- Debug authentication issues: confirm a stored hash matches a known password

- Test that your bcrypt library produces spec-compliant output

- Verify that a password was hashed correctly before storing in a database

- Audit security test fixtures in your CI pipeline

**Supported formats:** `$2b$` (current standard), `$2a$` (1999 original),

and `$2y$` (PHP variant, equivalent to `$2b$`).

**Verification time:** Expect 1–5 seconds at cost factors 10–12. This delay

is intentional — bcrypt's slowness is what makes brute-force attacks

impractical.

**Privacy:** All computation runs client-side. Neither the password nor the

hash leaves your device at any point.

Related tools

Bcrypt Hash Generator

Generate bcrypt hashes with configurable cost factor (4–31). Auto-salted, rainbow-table resistant, fully browser-based. Recommended for secure password storage.

MD5 Hash Generator

Generate MD5 hashes from text in real time. Instant output, uppercase toggle, 100% browser-based. Not for passwords — use bcrypt instead.

SHA-256 Hash Generator

Generate SHA-256 hashes from text instantly. WebCrypto hardware-accelerated, real-time output. Used in Bitcoin, TLS, and digital signatures. Zero uploads.

MD5 Decrypt — Hash Lookup

Reverse-lookup MD5 hashes via rainbow table databases. Not true decryption — MD5 is one-way. Checks multiple sources for the best match rate.

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.

Password Breach Checker

Check if a password appeared in known data breaches using k-anonymity. Only the first 5 SHA-1 hash characters are sent — your password never leaves your browser.

Learn more

Password Security in 2026: How Long to Crack Every Combination

See exact brute-force crack times for 4-20 character passwords. An RTX 4090 cracks 8-char passwords in 22 min. Full table + defense guide.

Strong Password Generator: How to Create Uncrackable Passwords in 2026

Generate secure passwords and passphrases with our free tool. Learn what makes a password strong, how crack time estimates work, and best practices for password security.