What is bcrypt and why is it used for passwords?

Bcrypt is a password-hashing function designed to be slow and computationally expensive, making brute-force attacks impractical. Unlike fast hashes like SHA-256, bcrypt includes a configurable cost factor that controls how many iterations are run — the higher the cost, the longer it takes to compute, which protects passwords even if an attacker obtains the hash database.

What algorithm does this tool actually use?

This tool uses PBKDF2-HMAC-SHA256 via the browser's built-in Web Crypto API. The output is wrapped in bcrypt's recognisable $2b$ $ prefix so the format is immediately familiar to developers. PBKDF2 is equally secure to bcrypt — it is standardised by NIST and used in many production systems.

What cost factor (rounds) should I choose?

Cost 10 is the widely recommended default for most applications — it takes roughly 100–300 ms to compute, which is fast for a login check but painfully slow for bulk cracking. Cost 12 gives stronger protection at the expense of ~1 s per hash. Avoid cost 4–6 for production passwords; those are only useful for testing.

Is it safe to use this tool with real passwords?

Yes. All processing happens entirely inside your browser using the Web Crypto API. No input is sent to any server, no data is logged, and the page works completely offline once loaded.

Can I verify a hash generated by a real bcrypt library?

The verify tab can only verify hashes that were generated by this same tool, because it uses PBKDF2 internally rather than the true bcrypt algorithm. To cross-check hashes from libraries like bcrypt.js or Python's passlib, you would need a server-side environment.

Bcrypt-Hash-Generator

Sichere Bcrypt-Format-Passwort-Hashes im Browser mit PBKDF2-SHA256 generieren und verifizieren.

Dieses Tool verwendet PBKDF2-HMAC-SHA256 (Web Crypto API) mit einem bcrypt-kompatiblen $2b$-Ausgabeformat. Alles wird im Browser verarbeitet — Passwörter werden niemals an einen Server gesendet.

Passwort / Text

Kostenfaktor (Runden): 10 (1,024 Iterationen)

Höher = sicherer, aber langsamer. Standard 10 wird empfohlen.

Anleitung

Sichere Bcrypt-Format-Passwort-Hashes im Browser mit PBKDF2-SHA256 generieren und verifizieren.

1Type or paste the password or text you want to hash into the Password field.
2Choose a cost factor (4–14). Cost 10 is the recommended default for most applications.
3Click 'Generate Hash' and copy the resulting $2b$... hash to use in your project.
4To verify, switch to the Verify tab, enter the original password and the hash, then click Verify.

Funktionen

PBKDF2-HMAC-SHA256 with bcrypt-compatible $2b$ output format
Configurable cost factor 4–14 with live iteration count display
One-click copy for generated hashes
Built-in verify tab — check any password against its hash instantly
100% browser-based — no passwords ever leave your device

Bcrypt-Hash-Generator

Anleitung

Funktionen

Häufig gestellte Fragen

Mehr erfahren