WebToolX

Command Palette

Search for a command to run...

Security & Crypto

Bcrypt Generator

Hash and verify passwords with bcrypt online. Choose your cost factor (rounds) and get a secure hash instantly — all processing runs in your browser.

Generate Hash

Verify Password

What is bcrypt?

Bcrypt is a password-hashing function built on the Blowfish cipher. It was purpose-built for passwords — its adaptive cost factor makes it deliberately slow, thwarting brute-force attacks even as hardware improves. Every bcrypt hash embeds a random salt, so identical passwords produce different hashes, neutralising rainbow-table lookups.

How to use this tool

  1. Enter a password in the Hash section and choose a cost factor (8, 10, or 12).
  2. Click Generate Hash to compute the bcrypt string.
  3. Copy the hash with the Copy button and store it in your database.
  4. To verify later, paste the password and hash into the Verify section and click Verify.

Choosing the right cost factor

A cost factor of 10 is the widely accepted default — it takes roughly 100 ms on a modern server, which is imperceptible to users but expensive enough to slow an attacker down to a few thousand guesses per second. If your server is fast or you store very sensitive data, bump to 12. Use 8 only in resource-constrained environments or automated testing.

Security note

This tool runs entirely in your browser via WebAssembly-compiled JavaScript. No passwords or hashes are transmitted to any server. You can use it safely with real credentials.

Frequently Asked Questions

What is bcrypt and why should I use it for passwords?

Bcrypt is an adaptive password-hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike fast hashing functions such as MD5 or SHA-256, bcrypt is intentionally slow — its cost factor lets you increase the work required to compute a hash as hardware gets faster. This makes brute-force and rainbow-table attacks impractical even on modern GPUs, which is why bcrypt remains one of the gold standards for storing user passwords.

What does the rounds (cost factor) setting mean?

The cost factor controls how many iterations bcrypt performs internally — specifically, the number of iterations is 2^rounds. Rounds 8 completes in a few milliseconds; rounds 10 (the recommended default) takes roughly 100 ms; rounds 12 takes around 400 ms. Higher rounds mean better security against brute-force, but also more CPU time per login. For most applications rounds 10–12 strikes a good balance.

Does the tool send my password to a server?

No. All hashing and verification runs entirely inside your browser using the bcryptjs library compiled to JavaScript. Your plaintext password and the resulting hash never leave your device. The tool is safe to use with real or test passwords alike.