Bcrypt Hash Generator and Verifier - Online Password Hash Tool

Bcrypt Hash

Bcrypt Verify

Match:--

About this tool

What this tool is good for

bcrypt is a password hashing function based on Blowfish. Compared with general-purpose hash algorithms, it is intentionally slower and better suited for password storage scenarios.

This page can generate a bcrypt hash from plaintext with configurable cost rounds and verify whether a plaintext value matches an existing bcrypt hash. It does not decrypt bcrypt hashes because bcrypt is intentionally one-way.

Generator vs verifier

ModeInputOutputUse case
GeneratePlaintext password and cost roundsA new bcrypt hashCreate a test hash or inspect how cost rounds affect output.
VerifyPlaintext password and existing bcrypt hashMatch or no matchCheck a login candidate against a stored password hash.
DecryptBcrypt hash onlyNot possibleBcrypt is not encryption and has no reversible decrypt step.

Because the salt is embedded in the bcrypt hash, two generated hashes for the same password can look different while still verifying correctly.

Cost rounds reference

CostTypical meaningWhen to use
8-9Faster but weakerLocal demos, legacy compatibility, or low-risk tests.
10-12Common starting rangeMany web applications begin here and tune after measuring login latency.
13+Slower and more expensiveUse only when your servers and user experience can absorb the delay.
  • Benchmark cost rounds on the same class of hardware that will handle real logins.
  • Choose a cost that is slow enough to make guessing expensive but fast enough for normal authentication.
  • Review the cost periodically as hardware and traffic patterns change.

How bcrypt verification works in a login flow

  1. During signup, hash the user's password with bcrypt and store only the resulting hash.
  2. During login, load the stored hash for that account.
  3. Run bcrypt verification with the candidate password and the stored hash.
  4. Accept the login only if verification returns a match.
          // Pseudocode
storedHash = db.users.find(email).password_hash
isMatch = bcrypt.verify(candidatePassword, storedHash)
if (!isMatch) rejectLogin()
        

How to use it

  1. Enter the original plaintext on the hash side and adjust the salt rounds if needed.
  2. The bcrypt output is generated automatically in the result area.
  3. On the verify side, enter the plaintext and an existing hash to see whether they match.

Practical security notes

  • Higher salt rounds usually mean better resistance to brute-force attacks, but also more computation cost.
  • bcrypt is meant for password hashing, not for general data integrity checks.
  • Because bcrypt includes a salt, hashing the same plaintext twice can still produce different outputs.
  • Never store the original password next to the hash; verification should only need the candidate password and the stored hash.

FAQ

When should I use bcrypt instead of SHA-256?

Use bcrypt for password hashing because it is intentionally slow and includes a salt. Use SHA-256 for general checksums or digests, not for storing user passwords.

What bcrypt cost factor should I choose?

Choose a cost factor that is slow enough to resist guessing but still acceptable for your login flow. Many applications start around 10 to 12 and adjust after performance testing.

Can bcrypt hashes be decrypted?

No. Bcrypt is a one-way password hashing algorithm. Verification works by hashing the candidate password with the stored hash settings and comparing the result.

Why are two bcrypt hashes for the same password different?

Bcrypt stores salt and cost parameters inside the hash. A new salt can produce a different hash for the same password, and verification still works because the stored hash contains the settings needed for comparison.

Can I use this as a bcrypt password checker?

Yes. Use the verify mode to check whether a plaintext candidate matches an existing bcrypt hash. The tool should be used for debugging and development checks, not for exposing production secrets.

Should I use bcrypt for API tokens or files?

Usually no. Bcrypt is designed for password storage. Use HMAC, SHA-256, file hashing, or another purpose-built primitive for tokens, signatures, and file integrity checks.

Related tools