Bcrypt Generator & Verifier
Hash a password with bcrypt at a cost you choose, or verify a password against an existing bcrypt hash — all in your browser.
The Bcrypt Generator runs entirely in your browser. The passwords you hash and the hashes you verify are processed on your device and are never uploaded to ArrayKit.
Open the Hash Generator
About Bcrypt Generator
The Bcrypt Generator turns a plaintext password into a salted bcrypt hash and checks passwords against hashes you already have. In Hash mode, type a password, pick a cost factor from 4 to 15, and get a standard $2b$ hash with a unique random salt baked in — ready to store in a users table or an .htpasswd file. In Verify mode, paste a password and an existing bcrypt hash to see an instant match or no-match, which is handy when you are debugging a failed login or confirming a seeded fixture. The cost slider shows how many iterations each guess costs an attacker, so you can trade speed for brute-force resistance deliberately. Built for backend and DevOps engineers who need a reliable bcrypt reference. Passwords and hashes are processed on your device and never uploaded.
Features
- Hash any password to a standard $2b$ bcrypt string with a built-in random salt
- Cost slider from 4 to 15 rounds so you can tune work-factor against speed
- Live readout of the iteration count (2^cost) each hash requires
- Verify mode confirms whether a password matches an existing bcrypt hash
- Reads the variant and cost embedded in any hash you paste to verify
- Rejects strings that are not valid bcrypt hashes instead of guessing
- Every hash re-salts, so the same password never produces the same output twice
- Runs entirely in your browser with no password sent to a server
How to use the Bcrypt Generator
- Keep the Hash tab selected and type the password you want to hash
- Drag the cost slider to your target rounds (10–12 is a common choice)
- Click Generate hash and copy the resulting $2b$ string
- Switch to Verify, paste a password and a bcrypt hash, and read the match result
Example
Input
password: correcthorse
cost: 10
Output
$2b$10$mZ9uJ4c0m6t1qP7yW3sVne2f8oR5aB1cD4eF6gH7iJ8kL9mN0pQr
One password, cost 10, plus a random salt becomes a 60-character bcrypt hash.
Common errors & troubleshooting
- The same password produces a different hash every time. — That is expected — bcrypt generates a fresh random salt per hash. Use Verify mode to compare a password against a hash rather than hashing again and comparing strings.
- Verify says no match even though the password looks right. — Check for a trailing space or newline in the password field, and confirm you pasted the full 60-character hash including the $2blt;cost>$ prefix.
- A high cost makes the page feel slow to respond. — Cost is exponential — each step doubles the work. Lower the rounds to test quickly, then raise them for the value you actually store.
- An old hash starts with $2a$ or $2y$ instead of $2b$. — Those are earlier bcrypt variants and verify the same way. This tool reads the embedded variant and cost, so pasting a $2a$ or $2y$ hash into Verify still works.
Frequently asked questions
- What does the bcrypt cost factor control?
- The cost (or rounds) sets how many key-expansion iterations bcrypt runs — 2 to the power of the cost. A cost of 10 means 1,024 iterations; each extra step doubles the work, making a hash slower to compute and far harder to brute-force.
- Which cost should I pick in the Bcrypt Generator?
- 10 to 12 is the common range for web logins in 2026. Higher is more resistant to cracking but slower on every login. Pick the highest cost your server can hash in a fraction of a second under real load.
- Why is every bcrypt hash of the same password different?
- Bcrypt embeds a unique random salt in each hash, so identical passwords produce different strings. That defeats rainbow tables. To check a password you verify it against the stored hash rather than re-hashing and comparing text.
- Can this tool verify a $2a$ or $2y$ bcrypt hash?
- Yes. Paste any standard bcrypt hash — $2a$, $2b$, or $2y$ — into Verify mode with the password and it reports match or no match. The tool reads the variant and cost directly from the hash.
- Do my passwords or hashes get sent anywhere?
- No. The Bcrypt Generator runs entirely in your browser. The passwords you type and the hashes you paste are processed on your device and are never uploaded to ArrayKit.
- Is bcrypt still a good choice for storing passwords?
- Bcrypt remains a solid, widely supported password hash with a tunable work factor and per-hash salt. For new systems some teams also consider Argon2, but bcrypt is safe and well understood when you use an adequate cost.
Related tools
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
- htpasswd Generator — Generate Apache/nginx .htpasswd entries with bcrypt or SHA-1 hashed passwords, in your browser.
- Password Generator — Generate strong, random passwords with a strength meter (crypto-secure).
- HMAC Generator — Generate an HMAC (SHA-256, SHA-1, SHA-512) from a message and secret key using Web Crypto.
- JWT Decoder — Decode JWT header & payload and inspect exp / iat (no verification).
- TOTP / 2FA Generator — Generate time-based one-time passwords (2FA codes) from a base32 secret.
All ArrayKit tools