Hash passwords using bcrypt with configurable salt rounds. Verify passwords against bcrypt hashes.
$2b$Algorithm identifier (bcrypt version)XX$Cost factor (number of iterations = 2^cost)22 charsBase64-encoded salt (128-bit)31 charsBase64-encoded hash (184-bit)Type the password to hash.
Choose salt rounds (10-12 recommended).
Bcrypt hash is generated.
Use the Bcrypt Hash Generator when implementing password storage in web applications, testing bcrypt implementations during development, or verifying that existing password hashes match expected inputs. It is the standard choice for secure password hashing in Node.js, Python, Ruby, and PHP applications. Use it to test your authentication logic by generating and verifying hashes before deployment.
Salt rounds (also called the cost factor or work factor) determine how computationally expensive the hashing process is. Each increment doubles the computation time — 10 rounds takes about 100ms while 12 rounds takes about 400ms. Higher values make brute-force attacks much slower, providing better protection as hardware gets faster over time.
For most web applications, 10-12 salt rounds provide a good balance of security and performance. Use 12+ rounds for high-security applications like banking or admin accounts. The ideal value depends on your server's CPU capacity — the hash operation should take between 100ms and 500ms to remain practical for login flows while being slow enough to deter attackers.
Bcrypt is specifically designed for password hashing with three key advantages: built-in random salt generation (preventing rainbow table attacks), an adjustable cost factor (adapting to faster hardware), and intentionally slow computation (deterring brute-force attacks). SHA-256 is too fast for password hashing, allowing attackers to test billions of guesses per second.