Question 1

What is bcrypt and why use it for passwords?

Accepted Answer

Bcrypt is an adaptive password-hashing function based on the Blowfish cipher, designed in 1999. Unlike general-purpose digests like MD5 or SHA-256 — which are fast and therefore easy to brute-force at scale — bcrypt is deliberately slow and includes a tunable cost factor and a built-in 128-bit salt. That combination makes large-scale password cracking expensive and defeats precomputed rainbow tables, which is why bcrypt remains a recommended choice for storing password hashes alongside scrypt and Argon2.

Question 2

What is the bcrypt cost factor and what value should I use?

Accepted Answer

The cost (or work) factor sets how many key-expansion rounds run per hash — exactly 2^cost iterations. A cost of 10 means 1,024 rounds; a cost of 12 means 4,096. Each extra point doubles the time, so the right value is the highest one your login latency budget tolerates — commonly 10 to 12 for interactive logins, higher for offline or batch hashing. As hardware improves, raise the cost. This tool shows the iteration count and an approximate per-hash time so you can tune it for your own server.

Question 3

Is it safe to hash a real password in this online tool?

Accepted Answer

Yes. The bcrypt computation runs entirely in your browser using client-side JavaScript — there is no backend and no data transmission. The salt is generated with the Web Crypto API's crypto.getRandomValues(), and your password is held only in volatile memory until you close or refresh the tab. You can verify the zero-transmission claim by opening your browser's Network tab and confirming that no requests are sent while you hash or verify.

Question 4

What do the parts of a bcrypt hash mean?

Accepted Answer

A bcrypt hash is a 60-character string like $2b$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW. The leading $2b$ is the algorithm version, the next two digits (12) are the cost factor, the following 22 characters are the base64-encoded 128-bit salt, and the final 31 characters are the actual hash checksum. Because the salt and cost are stored inside the string, a verifier needs nothing but the hash and the candidate password to check a match.

Question 5

What is the difference between the $2a, $2b, and $2y prefixes?

Accepted Answer

These prefixes identify the bcrypt revision that produced the hash. $2a was the original widely deployed version; $2y was a PHP-specific tag introduced after a 2011 wraparound bug; and $2b is the current corrected version emitted by modern libraries. For new hashes use $2b. All three are computed identically for normal ASCII passwords, so a $2b verifier will correctly check a legacy $2a or $2y hash — this tool defaults to $2b and offers $2a for compatibility with older systems.

Question 6

Why does bcrypt ignore characters past 72 bytes?

Accepted Answer

Bcrypt's key schedule only consumes the first 72 bytes of the input, so any characters beyond that are silently dropped and do not affect the hash. With multi-byte UTF-8 passwords the limit can be reached in well under 72 visible characters. This tool warns you when your input exceeds 72 bytes. A common mitigation for very long passphrases is to pre-hash the password with SHA-256 (and base64-encode it) before feeding it to bcrypt, keeping the effective input within the limit.

Question 7

How is bcrypt different from MD5 or SHA-256?

Accepted Answer

MD5 and SHA-256 are general-purpose cryptographic digests built to be fast, which makes them a poor fit for password storage — a modern GPU can compute billions of SHA-256 hashes per second. Bcrypt is the opposite: it is intentionally slow, salted by default, and adaptive through its cost factor, so it stays resistant to brute-force attacks over time. Use SHA-256 or HMAC for checksums and message authentication, and bcrypt, scrypt, or Argon2 for hashing passwords at rest. Reach for our Hash Generator when you need a fast digest, and run a candidate through the Password Strength Checker before hashing it to confirm it is worth protecting.

Bcrypt Hash Generator

Why Use This Bcrypt Hash Generator?

How to Use the Bcrypt Generator

Frequently Asked Questions

Why Use This Bcrypt Hash Generator?

How to Use the Bcrypt Generator

Frequently Asked Questions

Related Tools