Yes — completely free, no signup required. All processing happens in your browser.

Does the tool work offline?

Once loaded, most features work without an internet connection since everything runs client-side.

guide

How to Hash a Password with Bcrypt (2026)

By Rui Barreira · Last updated: 18 June 2026

Bcrypt is the most widely recommended algorithm for hashing passwords. Unlike general-purpose hash functions such as SHA-256, bcrypt is deliberately slow — its cost factor lets you tune work to keep brute-force attacks expensive even as hardware improves. Use the Bcrypt Simulator to hash a password and verify hashes instantly, entirely in your browser.

How Bcrypt Works

Bcrypt applies a modified Blowfish cipher in a loop controlled by a cost factor (also called rounds or work factor). Each increment of the cost factor doubles the computation time. The output is a 60-character string that encodes the algorithm version, cost factor, salt, and hash together — so you only need to store one value per password.

A bcrypt hash looks like this: $2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36WQoeG6Lruj3vjPGga31lW. The $2b$ prefix is the version, 12 is the cost factor, the next 22 characters are the Base64-encoded salt, and the remaining 31 characters are the hash.

Choosing the Right Cost Factor

The cost factor controls how long a single hash takes. The goal is to make hashing slow enough to deter brute force, but fast enough not to degrade your login UX. A good target is 100–300ms per hash on your production hardware. The table below shows typical timings on modern server hardware.

Cost Factor	Approximate Time	Recommendation
10	~100ms	Minimum for new systems
12	~400ms	Current best practice
14	~1.5s	High-security contexts
16	~6s	Too slow for most logins

OWASP recommends a minimum cost factor of 10, with 12 being the current practical standard. Increase by 1 every 18–24 months to keep pace with hardware improvements.

Hashing and Verifying in Code

Most languages have a well-maintained bcrypt library. The pattern is always the same: hash once on registration, verify on login — never compare plaintext passwords directly.

In Node.js with bcryptjs:

// Hash (registration)
const hash = await bcrypt.hash(password, 12);

// Verify (login)
const match = await bcrypt.compare(input, storedHash);

In Python with bcrypt:

# Hash
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

# Verify
match = bcrypt.checkpw(input.encode(), hashed)

Never log, store in plaintext, or transmit hashes over insecure channels. Use the Bcrypt Simulator to test cost factors and verify hashes without writing any code.

Frequently Asked Questions

Is this tool free?: Yes — completely free, no signup required. All processing happens in your browser.
Does the tool work offline?: Once loaded, most features work without an internet connection since everything runs client-side.