~/envtools
tool

Bcrypt Generator

Hash a password with bcrypt and verify hashes — entirely in your browser. Uses bcryptjs (pure JavaScript bcrypt) with no server calls. Your password never leaves your machine.

Password / plaintext
Cost factor (rounds) — higher = slower = more secure
Rounds 10–12 are standard. Each +1 doubles hashing time.
CLI equivalents
Node.js (bcryptjs)
node -e "const b=require('bcryptjs'); console.log(b.hashSync('pw',12))"
Python (bcrypt)
python3 -c "import bcrypt; print(bcrypt.hashpw(b'pw',bcrypt.gensalt(12)))"

What is bcrypt?

bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. Unlike SHA-256 or MD5, bcrypt is deliberately slow — it includes a configurable cost factor (rounds) that makes brute-force attacks computationally expensive even with modern GPU hardware.

A bcrypt hash looks like $2b$12$..., where 2b is the algorithm version, 12 is the cost factor, and the remaining characters encode a 22-character salt and 31-character hash.

Choosing the right cost factor

The cost factor (rounds) is a base-2 exponent: cost 12 means 2^12 = 4,096 rounds of the internal Blowfish cipher. Each +1 doubles the time to hash. Choose the highest factor your server can handle while keeping login under ~300ms:

  • 10 — fast (<100ms on most hardware), acceptable for high-traffic endpoints
  • 12 — default for most frameworks (Passport.js, Django's bcrypt, Laravel)
  • 13–14 — recommended for admin accounts or low-frequency logins

Never go below 10. The OWASP Authentication Cheat Sheet recommends a minimum cost of 10, with 12 as the preferred default.

bcrypt in your stack

Node.js / Next.js — use bcryptjs (pure JS, works in edge runtime) or bcrypt (native, faster):

import bcrypt from 'bcryptjs';
const hash = await bcrypt.hash(password, 12);
const match = await bcrypt.compare(input, hash);

Python / Django — Django's BCryptSHA256PasswordHasher handles bcrypt natively. Set it in PASSWORD_HASHERS in settings.py.

Laravel — Laravel uses bcrypt (rounds = 12) by default via Hash::make($password). No additional config needed.

Ruby on Railshas_secure_password uses bcrypt via the bcrypt gem. Cost is 12 by default, configurable with BCrypt::Engine.cost = 13.

bcrypt limitations

bcrypt silently truncates passwords longer than 72 bytes. If you need to support long passphrases, pre-hash the password with SHA-256 before passing it to bcrypt (this is what Django's BCryptSHA256PasswordHasher does). For new projects, consider Argon2id — it is resistant to both GPU and side-channel attacks and is recommended by OWASP as the first choice since 2019.

Related tools