— About this tool
bcrypt is a password-hashing function designed to be deliberately slow, which makes brute-force attacks expensive. It builds the salt into the hash and exposes a cost factor (work factor) you can raise over time as hardware gets faster. This tool both hashes a password and verifies a plaintext password against a stored bcrypt hash, so you can test your authentication logic without writing a script.
Hashing and verification run locally in your browser via bcryptjs, so passwords are never transmitted. A cost factor of 10–12 is a sensible default for most applications; higher values are more secure but slower. Note that bcrypt truncates inputs beyond 72 bytes — for longer secrets, pre-hash them.
Passwords are hashed and verified locally — nothing is sent anywhere.
Frequently asked questions
What cost factor should I use?
A cost of 10 to 12 balances security and speed for typical web logins. Each step doubles the work; benchmark on your production hardware and pick the highest value that keeps hashing under roughly 250ms.
Why does the same password produce a different hash each time?
bcrypt generates a random salt for every hash and stores it inside the output, so identical passwords yield different hashes. Verification still works because the salt is read back from the hash being checked.
Can I recover the original password from a hash?
No — bcrypt is one-way by design. You can only verify whether a candidate password matches a hash, which is exactly what the Verify mode does here.