Bcrypt Hash Generator & Verifier
Generate bcrypt hashes with configurable cost factor and verify passwords against existing hashes. The hashing time shows exactly why bcrypt is the right choice for passwords.
Why Bcrypt for Passwords?
Unlike SHA-256 which takes microseconds, bcrypt at cost 12 takes ~300ms — making brute force attacks 100,000× harder. Cost factor 12 is the current recommended minimum. Each increment doubles the time. Bcrypt also automatically salts each hash, so two identical passwords produce different hashes. For new systems in 2025, consider Argon2id (winner of the Password Hashing Competition) — but bcrypt remains widely deployed and well-understood.
Plain-text password — bcrypt truncates at 72 bytes (UTF-8)
16 cryptographically random bytes generated per hash — prevents rainbow tables and batch attacks
Work factor N — bcrypt runs 2^N EksBlowfish setup rounds. Cost 12 ≈ 300ms. Each +1 doubles time.
Blowfish key schedule expanded 2^N times using the password and salt — deliberately expensive
$2b$NN$22-char-salt-31-char-hash — 60-char self-contained string ready to store
Plain-text candidate password to check against the stored hash
Parse the $2b$ string — extract the algorithm version, cost factor, and embedded 22-char salt
Run the full EksBlowfish KDF with the extracted salt and cost — produce a new hash
Compare new hash with stored hash using timing-safe comparison — prevents timing attacks
If hashes are identical the password is correct — the plain-text is never stored
Spec: Bcrypt (Provos & Mazières, 1999 USENIX), $2b$ variant