How to Hash a Password with Bcrypt Online — Free (2026)

The brevio Bcrypt Hash Generator hashes and verifies passwords using bcrypt entirely in your browser. Your plaintext never leaves your device — verified via the DevTools Network tab. No account, no upload.

What Is Bcrypt?

Bcrypt is a password hashing algorithm designed by Niels Provos and David Mazières in 1999. Unlike general-purpose hash functions (MD5, SHA-256), bcrypt is deliberately slow and includes a cost factor (salt rounds) that can be increased as hardware improves. It is the standard choice for password hashing in web applications.

How Bcrypt Works

1. A random salt is generated. The salt is 128 bits of cryptographically random data, generated per password. This means two identical passwords produce completely different hashes — rainbow table attacks are useless.
2. The password is combined with the salt and hashed. The Blowfish cipher is applied with a cost factor that controls the number of iterations (2^cost). At cost 10, bcrypt performs 1,024 iterations; at cost 14, it performs 16,384.
3. The cost, salt, and hash are combined into a single string. The output starts with $2a$ (or $2b$) followed by the cost factor, the 22-character salt, and the 31-character hash.

Understanding the Bcrypt Hash Format

$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
 |  |  |                    |
 |  |  +-- 22-char salt     +-- 31-char hash
 |  +-- cost factor (10 rounds = 2^10 = 1,024 iterations)
 +-- bcrypt version (2a or 2b)

How to Hash a Password Step by Step

1. Open the Bcrypt Hash Generator.
2. Select the Hash tab.
3. Enter your password. Use a strong test password — remember this is a client-side tool and your input stays in the browser.
4. Choose salt rounds. The default is 10. Each increment doubles the hashing time: 11 = 2× slower than 10, 12 = 4× slower. OWASP recommends a minimum of 10; 12 is a reasonable current target; 14 is for high-security scenarios.
5. Click Generate Hash. Hashing takes a moment at higher round counts — this is intentional and is what makes bcrypt brute-force resistant.
6. Copy the hash. The full bcrypt string (including $2a$ prefix, salt, and hash) is ready to store in your database.

How to Verify a Password Against a Hash

1. Switch to the Verify tab.
2. Enter the plaintext password.
3. Paste the bcrypt hash. The full $2a$... string.
4. Click Verify. The tool re-hashes the plaintext with the same salt and cost extracted from the hash, then compares the result. Match = the password is correct.

Choosing the Right Salt Rounds

Bcrypt vs Argon2 vs PBKDF2

Bcrypt remains the most widely supported choice in 2026 due to universal library support. Argon2 (winner of the Password Hashing Competition, 2015) is the modern recommendation — it is memory-hard, making GPU attacks more expensive. PBKDF2 is used in NIST guidelines and FIPS-compliant environments. For new applications: use Argon2id if your runtime supports it, otherwise bcrypt with at least 12 rounds.

Frequently Asked Questions

Can I decrypt a bcrypt hash?

No. Bcrypt is a one-way hash function — it is not encryption and cannot be reversed. To verify a password, you hash the candidate password with the same salt (extracted from the stored hash) and compare the result. There is no way to get the original password back from a bcrypt hash.

Is it safe to hash passwords client-side?

For storing passwords in your application, hashing must happen server-side, ideally after the password has been transmitted over HTTPS. Client-side hashing in this tool is for learning, testing, and verification purposes. If you client-side hash before sending, the hash becomes the effective password — still hash again server-side.

What should I store in the database?

Store only the full bcrypt string (the $2a$... output). It contains the version, cost factor, salt, and hash in one string. Most bcrypt libraries parse this string automatically during verification — you do not need to store the salt separately.

How often should I increase my bcrypt cost factor?

OWASP recommends targeting 1-second hash time on your server hardware. As hardware improves (roughly Moore's law doubling every 18 months), increase cost by 1 every 2–3 years. Bcrypt supports migrating: re-hash on next successful login, so you can increase cost without requiring all users to reset their passwords.