Skip to content
Kordu Tools Kordu Tools

Bcrypt Hash Generator

Runs in browser

Generate bcrypt hashes with configurable cost factor (4–31). Auto-salted, rainbow-table resistant, fully browser-based. Recommended for secure password storage.

Last updated 02 Apr 2026

Enter a password and select a cost factor (4–31) to generate a $2b$-prefixed bcrypt hash. A unique random salt is generated automatically for every hash. All processing runs entirely in your browser via bcryptjs — nothing is uploaded.

Cost factor:
210 = 1,024 iterations · ~1–2s

bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. It embeds a random salt and a cost factor, making brute-force attacks computationally expensive. Unlike MD5 or SHA-256, bcrypt hashes cannot be reversed via rainbow tables. Use it for all password storage. Higher cost factors produce slower hashes — cost 10 is the industry default, balancing security and performance.
Loading rating…

How to use

  1. 1

    Open the Generate tab

    The 'Generate' tab is active by default on this page.

  2. 2

    Enter your password

    Type or paste the password you want to hash into the input field.

  3. 3

    Choose a cost factor

    Select a cost factor from 4 to 31. Cost 10 is the OWASP minimum for production; cost 12 provides stronger protection for new systems.

  4. 4

    Wait for hashing to complete

    Hashing takes 300 ms at cost 10, up to several seconds at higher factors. A progress indicator is shown while bcryptjs works.

  5. 5

    Copy the bcrypt hash

    Click Copy to copy the full $2b$-prefixed hash for use in your database or config file.

Frequently asked questions

What is bcrypt and why use it for password storage?
Bcrypt is a password hashing function designed in 1999 by Niels Provos and David Mazières. Unlike general-purpose hashes like MD5 or SHA-256, bcrypt includes automatic random salting (preventing rainbow table attacks) and a configurable cost factor (keeping brute-force attacks expensive as hardware improves). It remains one of the most widely recommended password hashing algorithms.
What cost factor should I use?
OWASP recommends a minimum of cost 10, targeting roughly 100 ms of hashing time per operation. As hardware improves, raise the factor to maintain that target. Cost 12 (around 400 ms) is recommended for new systems in 2025. Never use below 10 in production.
Does bcrypt output change every time?
Yes. Bcrypt generates a new random 128-bit salt for every hash operation. The same password hashed twice produces two different hashes. Both will verify correctly against the original password — the salt is stored inside the hash string.
Is this tool safe to use with real passwords?
Yes. All hashing runs in your browser using bcryptjs. Nothing is uploaded. That said, avoid using production passwords in online tools as a general security practice.
Are my inputs sent to a server?
No. The bcryptjs library runs entirely client-side. Your password never leaves your browser at any point.
What does the $2b$ prefix mean?
$2b$ indicates the bcrypt algorithm version (the current standard). Earlier libraries used $2a$ (still valid) or $2y$ (PHP-specific). The number after the second $ is the cost factor; the next 22 characters are the base64-encoded salt; the final 31 characters are the hash.
Is bcrypt still recommended in 2025?
Yes. Bcrypt remains widely supported across all major frameworks and is well-audited. Argon2id is technically superior (NIST SP 800-63B recommends it as the preferred key derivation function), but bcrypt is an excellent choice for any system that already uses it or needs broad library support.
How does bcrypt compare to PBKDF2 and Argon2?
PBKDF2 is faster than bcrypt and requires more iterations (OWASP recommends 600,000+ for PBKDF2-SHA256) to achieve similar resistance. Argon2id is memory-hard, making GPU-based attacks harder, and is the current NIST recommendation. Bcrypt is a solid middle ground: slower than PBKDF2 by default and widely supported.
Can bcrypt hashes be verified with this tool?
Yes — switch to the Verify tab (or use the Bcrypt Checker tool) to paste a bcrypt hash and confirm whether a given password matches it.

Generate bcrypt hashes with a configurable cost factor, entirely in your

browser using the bcryptjs library.

**Why bcrypt for passwords?** Unlike MD5 or SHA-256, bcrypt was designed

specifically for password storage:

- **Random salt included** — every hash is unique, preventing rainbow table

attacks even if two users share the same password

- **Tunable work factor** — increase the cost factor as hardware gets faster

to maintain the same level of protection over time

- **Intentionally slow** — each verification costs time, making brute-force

and credential-stuffing attacks computationally expensive

**Cost factor guide:**

- **4** — ~1 ms, development and testing only

- **10** — ~300 ms, OWASP minimum recommendation for production

- **12** — ~1.2 s, recommended for new systems in 2025

- **14+** — use for high-value accounts where latency is acceptable

**Output format:** `$2b$<cost>$<22-char salt><31-char hash>` — the algorithm

version, cost factor, salt, and hash are all embedded in a single 60-character

string. Store the entire string; no separate salt column needed.

All hashing runs client-side. Nothing is uploaded to any server.

Related tools

Bcrypt Hash Verifier

Verify a password against a bcrypt hash instantly in your browser. Supports $2a$, $2b$, and $2y$ prefixes. Nothing is uploaded.

MD5 Hash Generator

Generate MD5 hashes from text in real time. Instant output, uppercase toggle, 100% browser-based. Not for passwords — use bcrypt instead.

SHA-256 Hash Generator

Generate SHA-256 hashes from text instantly. WebCrypto hardware-accelerated, real-time output. Used in Bitcoin, TLS, and digital signatures. Zero uploads.

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.

Password Breach Checker

Check if a password appeared in known data breaches using k-anonymity. Only the first 5 SHA-1 hash characters are sent — your password never leaves your browser.

AES Encrypt

Encrypt text with AES-256-GCM, AES-CBC, AES-CTR, or AES-ECB in your browser. PBKDF2 key derivation, random IV, zero uploads.

Learn more

Password Security in 2026: How Long to Crack Every Combination

See exact brute-force crack times for 4-20 character passwords. An RTX 4090 cracks 8-char passwords in 22 min. Full table + defense guide.

Strong Password Generator: How to Create Uncrackable Passwords in 2026

Generate secure passwords and passphrases with our free tool. Learn what makes a password strong, how crack time estimates work, and best practices for password security.