Bcrypt Hash Generator
Generate bcrypt password hashes with configurable cost factor.
Why bcrypt for Password Storage
Unlike fast hashes like MD5 or SHA-256, bcrypt is intentionally slow. A single bcrypt hash with cost factor 12 takes ~250ms — negligible for a user logging in, but devastating for an attacker trying billions of guesses.
bcrypt also includes a built-in random salt, so identical passwords produce different hashes. This eliminates rainbow table attacks entirely and means a breach of one hash reveals nothing about others.
Cost Factor Tuning
The cost factor should be tuned to your server hardware. The goal is to make each hash take ~250ms in production:
| Cost Factor | Iterations | Approx. Time | Notes |
|---|---|---|---|
| 10 | 1,024 | ~65ms | Minimum for production |
| 11 | 2,048 | ~130ms | Good for low-spec servers |
| 12 | 4,096 | ~250ms | Recommended default (2024) |
| 13 | 8,192 | ~500ms | High-security applications |
| 14 | 16,384 | ~1s | Maximum practical for most apps |
Re-benchmark annually. As hardware improves, increase the cost factor. Many frameworks support transparent re-hashing on login.
bcrypt vs scrypt vs Argon2
| Property | bcrypt | scrypt | Argon2id |
|---|---|---|---|
| Year | 1999 | 2009 | 2015 |
| CPU-hard | Yes | Yes | Yes |
| Memory-hard | No (4 KB) | Yes (configurable) | Yes (configurable) |
| GPU/ASIC resistant | Moderate | Good | Excellent |
| Max password length | 72 bytes | Unlimited | Unlimited |
| Library support | Excellent | Good | Growing |
| Recommendation | Battle-tested default | Good alternative | Best choice if available |
If your platform supports Argon2id, prefer it. Otherwise, bcrypt remains a solid and battle-tested choice that is far better than any fast hash.
Frequently Asked Questions
What is bcrypt?
bcrypt is a password hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. It is intentionally slow and includes a built-in salt, making it resistant to brute-force and rainbow table attacks. It remains one of the most widely used password hashing algorithms.
What is the cost factor?
The cost factor (also called "work factor" or "rounds") determines how computationally expensive the hash is. It's a logarithmic value: cost 10 = 2^10 = 1,024 iterations; cost 12 = 2^12 = 4,096 iterations. Each increment doubles the time. A cost of 12 is the standard recommendation for most applications in 2024.
What cost factor should I use?
Target ~250ms per hash on your production hardware. In 2024, cost 12 is a good default. For high-security applications, use 13-14. Test on your actual server — if login takes too long, lower the cost. Many frameworks let you upgrade hashes transparently when users log in.
bcrypt vs scrypt vs Argon2 — which should I use?
Argon2id is the current recommendation (winner of the 2015 Password Hashing Competition). It resists both GPU and ASIC attacks by requiring large amounts of memory. scrypt is memory-hard and a solid choice if Argon2 is unavailable. bcrypt is battle-tested and widely supported, but is not memory-hard.
Why does the same password produce different bcrypt hashes?
bcrypt automatically generates a random 128-bit salt for each hash. The salt is embedded in the output string (after the cost factor). This means the same password will produce a different hash every time — which is by design. Verification works by extracting the salt from the stored hash and re-hashing the input.