What this tool is good for
bcrypt is a password hashing function based on Blowfish. Compared with general-purpose hash algorithms, it is intentionally slower and better suited for password storage scenarios.
This page can hash plaintext with configurable salt rounds and verify whether a plaintext value matches an existing bcrypt hash.
How to use it
- Enter the original plaintext on the hash side and adjust the salt rounds if needed.
- The bcrypt output is generated automatically in the result area.
- On the verify side, enter the plaintext and an existing hash to see whether they match.
Practical notes
- Higher salt rounds usually mean better resistance to brute-force attacks, but also more computation cost.
- bcrypt is meant for password hashing, not for general data integrity checks.
- Because bcrypt includes a salt, hashing the same plaintext twice can still produce different outputs.
FAQ
When should I use bcrypt instead of SHA-256?
Use bcrypt for password hashing because it is intentionally slow and includes a salt. Use SHA-256 for general checksums or digests, not for storing user passwords.
What bcrypt cost factor should I choose?
Choose a cost factor that is slow enough to resist guessing but still acceptable for your login flow. Many applications start around 10 to 12 and adjust after performance testing.
Can bcrypt hashes be decrypted?
No. Bcrypt is a one-way password hashing algorithm. Verification works by hashing the candidate password with the stored hash settings and comparing the result.
Related tools
- Hash Generator:Generate MD5, SHA, SHA-3, and RIPEMD160 hashes
- HMAC Generator:Generate HMAC values with MD5, SHA, SHA-3, and RIPEMD160