Bcrypt Generator

Generate bcrypt password hashes for secure password storage and authentication systems.

Generate Hash

4 (Fast)10 (Recommended)16 (Slow)

Verify Hash

About Bcrypt

Bcrypt is a password hashing function designed for secure password storage. It incorporates a salt to protect against rainbow table attacks and is adaptive, meaning it can be made slower over time as hardware improves.

The cost factor (salt rounds) determines how computationally expensive the hash operation is. Higher values are more secure but slower.

Hash Format

$2a$10$N9qo8uLOickgx2ZMRZoMy...
  • $2a$ → Algorithm identifier
  • 10$ → Cost factor (2^10 iterations)
  • 22 chars → Salt (base64 encoded)
  • 31 chars → Hash (base64 encoded)

Salt Rounds Guide

4-7:Fast but less secure
10:Recommended default
12-14:High security applications
15+:Very slow, extreme security

Note: This is a client-side simulation for educational purposes. For production use, always use a proper bcrypt library on the server side.

What Is Bcrypt and Why Does It Matter?

Bcrypt is a password hashing function originally designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. Unlike general-purpose cryptographic hash functions such as SHA-256 or MD5, bcrypt was engineered specifically for securely storing passwords. Its most important properties are that it is slow by design, adaptive, and incorporates automatic salting — all of which dramatically reduce the effectiveness of brute-force and dictionary attacks.

When a user registers or changes their password on a website or application, the system should never store the plaintext password directly. Instead, the password is run through bcrypt to produce a fixed-length hash string. Only this hash is stored in the database. When the user logs in again, the same process is applied to the submitted password and the resulting hash is compared to the stored one. If they match, authentication succeeds — and the original password is never exposed, even to the application itself.

The practical importance of bcrypt cannot be overstated. Data breaches exposing user credentials are common, and weakly hashed passwords — or plaintext passwords — can be cracked almost instantly with modern hardware and rainbow table databases. Bcrypt's built-in salt eliminates rainbow table attacks, while its tunable cost factor means even direct brute-force attacks require significant time per guess, even on GPUs. This makes bcrypt one of the most trusted password hashing strategies in production systems today and a staple recommendation in security guidelines from OWASP and NIST.

This bcrypt generator lets you explore how bcrypt hashes are structured, experiment with different cost factors (salt rounds), and validate hash format strings — all directly in your browser, no server required.

How Bcrypt Hashing Works

Bcrypt operates through a multi-stage process that combines a randomly generated salt, your input password, and a configurable cost factor to produce a 60-character output string. Understanding each stage helps you make informed decisions about cost factors and integration patterns.

Stage 1 — Salt generation: A 16-byte (128-bit) cryptographically random salt is generated for every hash operation. This salt is encoded in a modified base64 alphabet consisting of the characters A-Z, a-z, 0-9, ., and /, producing a 22-character salt string. Because each password gets a unique salt, two identical passwords will always produce completely different hashes, defeating precomputed attack databases.

Stage 2 — Key schedule expansion: The Eksblowfish (Expensive Key Schedule Blowfish) algorithm is initialized with both the salt and the password. The cost factor c controls how many times the key schedule is expanded: exactly 2c iterations are performed. At cost 10, that is 1,024 iterations; at cost 12 it is 4,096; at cost 14 it is 16,384. Each doubling of the cost factor doubles the computation time, making brute-force attacks proportionally harder as you increase the cost.

Stage 3 — Hash output: A fixed magic string "OrpheanBeholderScryDoubt" is encrypted 64 times using the expanded key schedule. The result is base64-encoded and appended to the salt to form the final hash string. The entire output is always exactly 60 characters long in the standard Modular Crypt Format.

Bcrypt Hash Format

$2a$[cost]$[22-char-salt][31-char-hash]

Where:

  • $2a$= Algorithm version identifier (2a = bcrypt with UTF-8 password support)
  • [cost]= Two-digit zero-padded cost factor (salt rounds), e.g. 10. Determines 2^cost iterations.
  • [22-char-salt]= Random 22-character base64url salt drawn from A-Za-z0-9./; unique per hash
  • [31-char-hash]= Base64url-encoded 31-character hash output derived from password + salt + cost expansion

Choosing the Right Salt Rounds (Cost Factor)

The salt rounds value — also called the cost factor or work factor — is the single most important tuning knob when using bcrypt. It is an integer between 4 and 31, and it controls how computationally expensive hashing is: each increment doubles the number of Eksblowfish iterations performed, which directly doubles the time required to compute a hash.

Cost Factor Iterations (2^cost) Approx. Time (modern CPU) Typical Use Case
4 16 < 1 ms Testing and development only
10 1,024 ~100 ms General web applications (recommended default)
12 4,096 ~400 ms Sensitive or high-value accounts
14 16,384 ~1.5 s High-security applications, admin accounts
16 65,536 ~6 s Extreme security; background processing only

The OWASP Password Storage Cheat Sheet recommends a minimum cost factor of 10 for bcrypt and suggests reassessing the cost factor periodically as hardware improves. A good rule of thumb is to target a hashing time of approximately 100–300 milliseconds for interactive logins. For batch operations or background tasks where latency is less critical, higher cost factors provide stronger protection with no user-visible penalty.

Never use cost 4 in production. While it is useful for speeding up automated tests, the resulting hashes provide minimal protection. Conversely, cost factors above 14 can cause timeouts on resource-constrained servers and dramatically increase server load during traffic spikes — always load-test before deploying a high cost factor in a high-concurrency environment.

Anatomy of a Bcrypt Hash String

Every bcrypt hash is a self-contained string in the Modular Crypt Format (MCF). Unlike some hash formats that require storing the salt and parameters separately, bcrypt embeds all the information needed for verification directly into the 60-character output string. This design makes storage and comparison straightforward: just store the full hash string and compare it during login.

A valid bcrypt hash looks like: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

  • $2a$ — The algorithm version prefix. $2a$ is the most common and indicates bcrypt with proper UTF-8 password handling. You may also see $2b$ (corrected version used by newer implementations) or $2y$ (PHP's variant). All are functionally equivalent for most passwords.
  • 10$ — The cost factor, always two digits. This tells the verifier how many iterations to use when re-hashing the supplied password for comparison. Without this, stored hashes could not be verified.
  • Next 22 characters — The base64-encoded random salt. Each password gets a completely unique salt, so even if two users share the same password, their hashes will be different.
  • Final 31 characters — The base64-encoded hash output derived from running the Eksblowfish cipher over the password and salt.

The bcrypt base64 alphabet differs from standard Base64. It uses ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 — note the period and slash at the start — rather than the +/ of standard Base64. This is a historical artifact of the original Unix crypt implementation and has no security impact, but it means bcrypt hashes are not directly usable with standard Base64 decoders.

The verification regex used by this tool checks for this exact structure: the string must begin with $2, optionally followed by a, b, or y, then $, exactly two digits for the cost, $, and exactly 53 characters drawn from the bcrypt base64 alphabet (22 salt + 31 hash). Any deviation from this pattern indicates an invalid or malformed hash.

Bcrypt Security Best Practices for Developers

Implementing bcrypt correctly is straightforward, but several common mistakes can undermine its security. Following these best practices ensures your password storage is as robust as possible in production systems.

Always hash on the server side. Bcrypt password hashing must be performed on your server — never in the browser for production use. Client-side hashing could expose your hashing implementation, allow manipulation of the hash before storage, and remove bcrypt's timing attack protections. This tool is strictly for education, format exploration, and demonstration.

Never truncate passwords before hashing. Bcrypt implementations typically truncate passwords at 72 bytes (not characters). This means extremely long passwords provide no additional security beyond their first 72 bytes. If your application must accept very long passwords, consider pre-hashing with SHA-256 and encoding as hex before passing to bcrypt — but this pattern requires care to avoid introducing new vulnerabilities.

Store only the full hash string. The 60-character bcrypt output already contains the algorithm, cost, salt, and hash — never store these separately. Storing the full string simplifies verification and enables seamless cost factor upgrades (rehash on next successful login).

Use a maintained bcrypt library. Popular options include bcrypt and bcryptjs for Node.js, passlib for Python, spring-security-crypto for Java, and the built-in password_hash() / password_verify() functions in PHP 5.5+. Never implement bcrypt from scratch in production.

Plan for cost factor upgrades. Hardware gets faster every year, so a cost of 10 today may be insufficient in five years. Build in a mechanism to rehash passwords on successful login when the stored cost factor falls below your current minimum. This is transparent to users and keeps stored hashes up to date.

Bcrypt vs Argon2, scrypt, and PBKDF2

Bcrypt is not the only modern password hashing algorithm, and understanding how it compares to alternatives helps you choose the right tool for your security requirements.

Argon2 is the winner of the Password Hashing Competition (2015) and is now recommended by OWASP as the first choice for new applications. Unlike bcrypt, Argon2 allows you to tune not just CPU cost but also memory usage and parallelism. This makes it significantly harder to accelerate on GPUs or custom ASIC hardware, because high memory requirements limit the number of parallel guesses attackers can run simultaneously. Argon2id (the hybrid variant) is the recommended default. If you are building a new system today, prefer Argon2id where library support is available.

scrypt was designed by Colin Percival specifically to be memory-hard, predating Argon2. It offers configurable CPU and memory cost but has a more complex parameter space. scrypt is a reasonable choice and is used in several cryptocurrency and encryption applications, but its API can be harder to tune correctly compared to Argon2.

PBKDF2 is widely standardized (NIST SP 800-132, PKCS#5) and uses a HMAC function iterated many times. Its main weakness compared to bcrypt and Argon2 is that it is not memory-hard, making it significantly more vulnerable to GPU-accelerated attacks. PBKDF2 remains acceptable when compliance with FIPS standards is required, but should use a high iteration count (600,000+ for PBKDF2-HMAC-SHA256 per 2023 OWASP guidance).

MD5 and SHA-1/256 are not password hashing functions and should never be used to hash passwords, even with a salt. They are designed to be fast, making them ideal for data integrity but catastrophically easy to brute-force for passwords. Billions of password guesses per second are possible on a single GPU.

For most existing applications already using bcrypt, there is no urgent need to migrate — bcrypt remains secure when used with cost ≥ 10. For new projects, Argon2id is the modern best practice.

Worked Examples

Generating a Bcrypt Hash at Cost 10

Problem:

Hash the password "MySecurePassword123" using salt rounds = 10, producing a valid bcrypt output string.

Solution Steps:

  1. 1Set cost factor to 10. The algorithm will perform 2^10 = 1,024 Eksblowfish key schedule iterations.
  2. 2Generate a 22-character random salt from the bcrypt base64 alphabet (A-Za-z0-9./). Example salt: "N9qo8uLOickgx2ZMRZoMye".
  3. 3Construct the salt prefix: "$2a$" + "10" + "$" = "$2a$10$".
  4. 4Run the Eksblowfish cipher over the password and salt for 1,024 iterations, then base64-encode the 23-byte output to get a 31-character hash part, e.g. "IjZAgcfl7p92ldGxad68LJZdL17lhWy".
  5. 5Concatenate to form the final 60-character hash: "$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy".

Result:

$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy (60 characters, valid bcrypt format)

Comparing Computation Time Across Cost Factors

Problem:

A developer wants to understand the performance tradeoff of increasing salt rounds from 10 to 12.

Solution Steps:

  1. 1At cost 10: 2^10 = 1,024 iterations. On a typical 2024 server CPU, bcrypt takes approximately 80–120 ms per hash.
  2. 2At cost 12: 2^12 = 4,096 iterations — exactly 4× the iterations of cost 10. Expected time: approximately 320–480 ms per hash.
  3. 3At cost 14: 2^14 = 16,384 iterations — 16× cost-10 work. Expected time: approximately 1.2–2 seconds per hash.
  4. 4For a login endpoint handling 100 concurrent users: cost 10 ≈ 10 hashing operations/sec capacity; cost 12 ≈ 2.5 operations/sec capacity. Plan server resources accordingly.
  5. 5Conclusion: cost 12 is a good balance for high-security applications, but requires either more server capacity or async/queued processing to avoid login latency spikes.

Result:

Cost 12 uses 4× more CPU time than cost 10 (4,096 vs 1,024 iterations), significantly increasing brute-force difficulty with manageable production impact.

Validating a Bcrypt Hash Format String

Problem:

Check whether the string "$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj/gzMRFMW6" is a valid bcrypt hash.

Solution Steps:

  1. 1Check the prefix: the string starts with "$2b$" — a valid bcrypt version prefix (alongside $2a$ and $2y$).
  2. 2Extract the cost: "12" — a valid two-digit cost factor between 04 and 31.
  3. 3Count the remaining characters after the second "$": 53 characters total. Split as 22 (salt) + 31 (hash).
  4. 4Verify the character set: all 53 characters are from the bcrypt base64 alphabet [./A-Za-z0-9].
  5. 5Apply the validation regex: /^\$2[aby]?\$\d{2}\$[./A-Za-z0-9]{53}$/ — matches. Hash format is valid.

Result:

Valid bcrypt hash format. Version: $2b$, cost factor: 12, salt: "LQv3c1yqBWVHxkd0LHAkCO", hash: "Yz6TtxMQJqhN8/LewdBPj/gzMRFMW6".

Estimating Brute-Force Resistance at Different Cost Factors

Problem:

An attacker can test 10,000 bcrypt guesses per second at cost 4 on dedicated hardware. How does upgrading to cost 10 affect their attack speed?

Solution Steps:

  1. 1At cost 4: 2^4 = 16 iterations. Attacker speed: 10,000 guesses/second.
  2. 2Moving from cost 4 to cost 10 increases iterations by factor 2^(10-4) = 2^6 = 64.
  3. 3New attacker speed at cost 10: 10,000 / 64 ≈ 156 guesses per second.
  4. 4A lowercase-letter 8-character password has 26^8 ≈ 208 billion combinations. At 10,000/sec (cost 4), cracking time ≈ 208 billion / 10,000 ≈ 241 days. At 156/sec (cost 10), cracking time ≈ 208 billion / 156 ≈ 42 years.

Result:

Upgrading from cost 4 to cost 10 reduces attacker throughput by 64×, increasing brute-force time from ~241 days to ~42 years for an 8-character lowercase password.

Tips & Best Practices

  • Always use cost factor 10 or higher in production — cost 4 to 8 is acceptable only for automated tests where speed matters.
  • Never store plaintext passwords or reversible encrypted passwords — use bcrypt or Argon2id exclusively for password storage.
  • Re-hash passwords at next login when you increase your minimum cost factor — bcrypt hashes are self-contained and upgradeable.
  • Use a well-maintained bcrypt library (bcrypt, bcryptjs for Node; passlib for Python; password_hash for PHP) — never roll your own implementation.
  • Pre-hash with SHA-256 + hex encoding before bcrypt if your application genuinely needs to support passwords longer than 72 bytes.
  • Combine bcrypt with multi-factor authentication (MFA) for high-value accounts — bcrypt protects stored credentials, not the login session itself.
  • Store only the full 60-character bcrypt hash string in your database; never store the salt or cost factor separately.
  • Test your chosen cost factor under realistic concurrent load before deploying — higher cost can cause login timeouts under traffic spikes.
  • Prefer $2b$ version prefix in new implementations; it corrects a minor edge-case bug in the $2a$ spec for non-ASCII passwords.

Frequently Asked Questions

No — this tool is a client-side educational simulation for demonstrating bcrypt's hash format and structure. Real bcrypt requires a server-side implementation using a trusted library such as bcrypt for Node.js, passlib for Python, or password_hash() in PHP. Hashing passwords in the browser exposes your implementation to manipulation and removes server-side timing attack protections. Always hash passwords server-side in production.
Each bcrypt hash operation generates a new random 16-byte salt before hashing. This salt is different every time, so even if you hash the exact same password twice, the resulting 60-character strings will be completely different. The salt is embedded in the hash string itself, which is why verification still works: the stored hash contains the salt needed to reproduce the same computation and compare results.
The original bcrypt specification truncates input passwords at 72 bytes (not characters). For ASCII passwords this is 72 characters, but multi-byte Unicode characters consume more bytes and reduce the effective limit. Passwords longer than 72 bytes provide no additional security — the extra characters are ignored. If your application requires very long passphrase support, consider pre-hashing with SHA-256 (hex-encoded) before passing to bcrypt, though this pattern requires careful implementation.
All three are bcrypt but differ in how they handle non-ASCII passwords. $2a$ is the original identifier with a UTF-8 handling bug affecting passwords containing characters with the high bit set (unusual in practice). $2b$ is a corrected version introduced by OpenBSD in 2014. $2y$ is a PHP-specific variant introduced before $2b$ was standardized. For English-character passwords they produce identical hashes; for production use, prefer $2b$ when your library supports it.
OWASP recommends reassessing your cost factor whenever hardware improvements make hashing noticeably faster. A common guideline is to check every 1–2 years and increase the cost factor if you can afford the additional latency. Because the cost factor is stored inside every bcrypt hash, you can transparently upgrade individual hashes on next successful login — no mass re-hashing or user notification required. Simply check the stored cost factor at login and rehash if it is below your current minimum.
No — bcrypt is a one-way hash function. There is no mathematical operation to reverse the Eksblowfish cipher output back to the original password. Attackers who obtain a bcrypt hash can only try to find the original password by guessing candidates and hashing each one, which is why the computational cost of bcrypt is so important. There is no "decryption" of a bcrypt hash; verification always works by re-hashing the candidate password and comparing the result.
When implemented correctly, bcrypt libraries use constant-time comparison to prevent timing attacks — attacks where an adversary measures slight differences in response time to infer whether a hash matches. Standard string comparison functions (like == in JavaScript or Python) can leak partial information because they return early on the first mismatched byte. Reputable bcrypt libraries always perform the full comparison regardless of where a mismatch occurs, so use a well-maintained library rather than implementing comparison yourself.

Sources & References

Last updated: 2026-06-05

💡

Help us improve!

How would you rate the Bcrypt Generator?

<>

Editorial Note

MyCalcBuddy Editorial Team

This page is maintained as an educational calculator reference.

Source

Formula Source: Standard Mathematical References

by Various

UpdatedLast reviewed: May 2026
CheckedFormula checks are based on standard references and internal QA review.