Bcrypt Generator & Verifier

Hash a password with bcrypt at a cost you choose, or verify a password against an existing bcrypt hash — all in your browser.

The Bcrypt Generator runs entirely in your browser. The passwords you hash and the hashes you verify are processed on your device and are never uploaded to ArrayKit.

Open the Hash Generator

About Bcrypt Generator

The Bcrypt Generator turns a plaintext password into a salted bcrypt hash and checks passwords against hashes you already have. In Hash mode, type a password, pick a cost factor from 4 to 15, and get a standard $2b$ hash with a unique random salt baked in — ready to store in a users table or an .htpasswd file. In Verify mode, paste a password and an existing bcrypt hash to see an instant match or no-match, which is handy when you are debugging a failed login or confirming a seeded fixture. The cost slider shows how many iterations each guess costs an attacker, so you can trade speed for brute-force resistance deliberately. Built for backend and DevOps engineers who need a reliable bcrypt reference. Passwords and hashes are processed on your device and never uploaded.

Features

How to use the Bcrypt Generator

  1. Keep the Hash tab selected and type the password you want to hash
  2. Drag the cost slider to your target rounds (10–12 is a common choice)
  3. Click Generate hash and copy the resulting $2b$ string
  4. Switch to Verify, paste a password and a bcrypt hash, and read the match result

Example

Input

password: correcthorse
cost: 10

Output

$2b$10$mZ9uJ4c0m6t1qP7yW3sVne2f8oR5aB1cD4eF6gH7iJ8kL9mN0pQr

One password, cost 10, plus a random salt becomes a 60-character bcrypt hash.

Common errors & troubleshooting

Frequently asked questions

What does the bcrypt cost factor control?
The cost (or rounds) sets how many key-expansion iterations bcrypt runs — 2 to the power of the cost. A cost of 10 means 1,024 iterations; each extra step doubles the work, making a hash slower to compute and far harder to brute-force.
Which cost should I pick in the Bcrypt Generator?
10 to 12 is the common range for web logins in 2026. Higher is more resistant to cracking but slower on every login. Pick the highest cost your server can hash in a fraction of a second under real load.
Why is every bcrypt hash of the same password different?
Bcrypt embeds a unique random salt in each hash, so identical passwords produce different strings. That defeats rainbow tables. To check a password you verify it against the stored hash rather than re-hashing and comparing text.
Can this tool verify a $2a$ or $2y$ bcrypt hash?
Yes. Paste any standard bcrypt hash — $2a$, $2b$, or $2y$ — into Verify mode with the password and it reports match or no match. The tool reads the variant and cost directly from the hash.
Do my passwords or hashes get sent anywhere?
No. The Bcrypt Generator runs entirely in your browser. The passwords you type and the hashes you paste are processed on your device and are never uploaded to ArrayKit.
Is bcrypt still a good choice for storing passwords?
Bcrypt remains a solid, widely supported password hash with a tunable work factor and per-hash salt. For new systems some teams also consider Argon2, but bcrypt is safe and well understood when you use an adequate cost.

Related tools

All ArrayKit tools