Generate secure Bcrypt password hashes with our free online tool. Create cryptographically strong hashes for password storage with customizable work factors. All processing happens in your browser - your data never leaves your device.
Complete Guide to Bcrypt
What is Bcrypt?
Bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. It's based on the Blowfish cipher and has been the default password hash algorithm for OpenBSD since 1997. It's specifically designed to be slow and computationally intensive, making it resistant to brute-force attacks.
Unlike traditional hash functions like MD5 or SHA-256, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
Key Features
- Adaptive work factor (cost factor) - allows you to increase the computation time as hardware gets faster
- Built-in salt generation - automatically handles salt creation and management
- Constant-time comparison - prevents timing attacks when verifying passwords
- Future-proofed against Moore's Law - can be adjusted to remain secure as computers get faster
- Industry standard for password hashing - widely adopted and thoroughly tested
- Non-reversible - mathematically impossible to reverse the hash to get the original password
- Unique hash per password - even for the same password, each hash will be different due to random salt
Hash Format
A bcrypt hash consists of several parts:
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
- $2a$ - Hash algorithm identifier
- $2a$ - Original version
- $2b$ - Fixed handling of non-ASCII passwords
- $2y$ - Format specific to PHP crypt()
- 10 - Work factor (cost)
- Determines the complexity of the hash
- Range from 4 to 31
- Each increment doubles the required time
- 22 characters - Salt
- Randomly generated
- Prevents rainbow table attacks
- Encoded in Base-64
- 31 characters - Hash
- The actual hashed password
- Combined with salt
- Encoded in Base-64
Implementation Examples
Node.js:
const bcrypt = require('bcrypt');
const saltRounds = 10;
const hash = await bcrypt.hash('password', saltRounds);
const match = await bcrypt.compare('password', hash);Python:
import bcrypt
password = b"password"
hashed = bcrypt.hashpw(password, bcrypt.gensalt())
if bcrypt.checkpw(password, hashed): print("Match")
Security Considerations
- Higher work factors provide better security but require more processing time
- Factor 10: ~10 hashes/sec
- Factor 12: ~2-3 hashes/sec
- Factor 14: ~1 hash/sec
- Work factor should be adjusted based on server capabilities
- Recommended minimum work factor is 10
- Each increment of work factor doubles the processing time
- Maximum password length is 72 bytes (longer passwords are truncated)
- Should be combined with other security measures like rate limiting
Comparison with Other Algorithms
vs MD5/SHA:
- Much slower (intentionally)
- Built-in salt management
- Adaptive complexity
vs Argon2:
- More widely supported
- Simpler to implement
- Less memory-intensive
Best Practices
- Always use unique salts for each password
- Choose appropriate work factor based on system resources
- Aim for ~250ms per hash operation
- Test on your production hardware
- Monitor and adjust as needed
- Store the complete hash string including algorithm identifier
- Use constant-time comparison for verification
- Regularly update work factors as hardware improves
- Implement password strength requirements
- Add rate limiting to prevent brute force attempts
- Consider using pepper in addition to salt for extra security
Troubleshooting
Common Issues:
- Performance problems
- Reduce work factor
- Implement caching if appropriate
- Consider hardware upgrades
- Truncated passwords
- Warn users about 72-byte limit
- Pre-hash longer passwords
- Version compatibility
- Check prefix ($2a$, $2b$, $2y$)
- Update library if needed