.env · security

Bcrypt Generator

Hash a password with bcrypt in your browser. Choose cost factor (rounds 10–14), verify an existing hash, and copy the result. Nothing is sent to any server.

Be the first to rate
Password / plaintext
Cost factor (rounds) — higher = slower = more secure
Rounds 10–12 are standard. Each +1 doubles hashing time.
CLI equivalents
Node.js (bcryptjs)
node -e "const b=require('bcryptjs'); console.log(b.hashSync('pw',12))"
Python (bcrypt)
python3 -c "import bcrypt; print(bcrypt.hashpw(b'pw',bcrypt.gensalt(12)))"

What it does

  • Hash passwords with configurable cost factor (rounds 10–14)
  • Verify a plaintext password against an existing bcrypt hash
  • Runs entirely in-browser via bcryptjs — nothing is uploaded
  • Cost factor selector with estimated timing guidance

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

When to use this tool

  • Generating a test hash to paste into your database seeder
  • Verifying a user-submitted password matches a stored hash during debugging
  • Choosing the right cost factor by comparing hash times on your hardware
  • Learning how bcrypt works before integrating it into your stack

Common mistakes

  • Choosing cost factor 8 or lower — brute-force becomes trivially cheap
  • Using SHA-256 or MD5 for password storage — they are not password hashing functions
  • Ignoring the 72-byte truncation limit when allowing passphrases
  • Reusing the same hash for two users with the same password — bcrypt adds a unique salt automatically; trust it

What is bcrypt?

bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. Unlike SHA-256 or MD5, bcrypt is deliberately slow — it includes a configurable cost factor (rounds) that makes brute-force attacks computationally expensive even with modern GPU hardware.

A bcrypt hash looks like $2b$12$..., where 2b is the algorithm version, 12 is the cost factor, and the remaining characters encode a 22-character salt and 31-character hash.

Choosing the right cost factor

The cost factor is a base-2 exponent: cost 12 means 2^12 = 4,096 rounds of the internal Blowfish cipher. Each +1 doubles the time to hash. Choose the highest factor your server can handle while keeping login under ~300ms:

  • 10 — fast (<100ms), acceptable for high-traffic endpoints
  • 12 — default for most frameworks (Passport.js, Django, Laravel)
  • 13–14 — recommended for admin accounts or low-frequency logins

bcrypt in your stack

Node.js / Next.js — use bcryptjs (pure JS, works in edge runtime) or bcrypt (native, faster):

import bcrypt from 'bcryptjs';
const hash = await bcrypt.hash(password, 12);
const match = await bcrypt.compare(input, hash);

Python / Django — Django's BCryptSHA256PasswordHasher handles bcrypt natively. Set it in PASSWORD_HASHERS in settings.py.

Laravel — Laravel uses bcrypt (rounds = 12) by default via Hash::make($password). No additional config needed.

Ruby on Railshas_secure_password uses bcrypt via the bcrypt gem. Cost is 12 by default, configurable with BCrypt::Engine.cost = 13.

bcrypt limitations

bcrypt silently truncates passwords longer than 72 bytes. For new projects, consider Argon2id — it is resistant to both GPU and side-channel attacks and is recommended by OWASP as the first choice since 2019.

Frequently asked questions

What is the difference between bcrypt and SHA-256?

SHA-256 is a general-purpose hash function — it is extremely fast, which makes it easy to brute-force password hashes at billions of attempts per second. bcrypt is a purpose-built password hashing function that is deliberately slow. Its cost factor (rounds) is a base-2 exponent that makes brute-force attacks computationally expensive even with modern GPU hardware.

Is my password sent to a server when I use this tool?

No. The bcrypt hashing runs entirely in your browser using the bcryptjs library (pure JavaScript). Your password never leaves your machine and nothing is uploaded or logged.

What cost factor should I use?

OWASP recommends a minimum cost of 10, with 12 as the preferred default. Use 10 for high-traffic endpoints where login latency is critical, 12 for most applications, and 13–14 for admin accounts or low-frequency logins. Each +1 doubles the time to hash — aim for ~200–300ms on your server hardware.

Can bcrypt handle passwords longer than 72 bytes?

No — bcrypt silently truncates passwords at 72 bytes. If you need to support long passphrases, pre-hash the password with SHA-256 before passing it to bcrypt. This is exactly what Django's BCryptSHA256PasswordHasher does. For new projects, consider Argon2id, which has no such length limit and is OWASP's top recommendation since 2019.

Related tools

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.