About Bcrypt Demo Hash

Generate a bcrypt-style hash preview — configurable cost rounds (4-14). Part of the DevTools Surf developer suite. Browse more tools in the Generators collection.

Use Cases

• Backend devs previewing bcrypt output for documentation
• Security engineers comparing cost factor timing tradeoffs
• QA teams generating expected hash values for auth test suites
• Technical writers documenting password storage implementations

Tips

• Cost factor 10 is the standard balance of speed and security
• Higher cost rounds double computation time per increment
• Use the output format to document expected hashes in tests

Fun Facts

• Bcrypt was designed by Niels Provos and David Mazieres in 1999, based on the Blowfish cipher — it was specifically engineered to be slow to resist brute-force attacks.
• Each increment of the bcrypt cost factor doubles the computation time: cost 10 takes ~100ms, cost 12 takes ~400ms, and cost 14 takes ~1.6 seconds on typical hardware.
• Bcrypt internally truncates passwords at 72 bytes — a limitation that led to the development of alternatives like Argon2 for handling longer passphrases.

FAQ

Is this a real bcrypt implementation?

Yes — a browser-side bcrypt that produces valid $2b$ format hashes. Verifiable by any bcrypt-compatible library.

Which cost should I use?

10–12 for web apps (login takes 100-300ms, acceptable UX). 14+ for high-value credentials (takes seconds — too slow for login). 4 is insecure; only use for tests.

Why is it slow in the browser?

Bcrypt is intentionally expensive. Browser JS adds ~2-3x overhead vs native. For production, hash server-side in compiled code.

Is argon2 better than bcrypt?

For new projects yes — memory-hardness resists GPU attacks. Bcrypt is still fine for existing systems; don't migrate just to migrate. OWASP accepts both.