About Bcrypt Hash Tester

Generate bcrypt hashes and verify passwords against hashes. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Testing password hashing during authentication system development
• Verifying bcrypt hash compatibility across backend services
• Comparing hash output at different cost factors for tuning
• Validating password migration from legacy hashing algorithms

Tips

• Generate hashes with different cost factors to compare speed
• Verify a plaintext password against an existing bcrypt hash
• Use cost factor 12 as a balance between security and performance

Fun Facts

• Bcrypt was designed by Niels Provos and David Mazieres in 1999, based on the Blowfish cipher by Bruce Schneier.
• Bcrypt's adaptive cost factor means you can increase hashing time as hardware gets faster, unlike fixed-speed algorithms like MD5.
• At cost factor 12, a single bcrypt hash takes about 250ms to compute, making brute-force attacks impractical even with modern GPUs.

FAQ

Generate and verify, or just one?

Both. Generate mode produces a hash from a password + cost. Verify mode checks a password against an existing hash.

Why is verify slow?

Bcrypt is intentionally expensive. Higher cost means slower — that's the security feature. Expect 100-500ms per verify at cost 10-12.

Does bcrypt have a length limit?

Yes — 72 bytes (not characters). Passwords longer than that are silently truncated. If you need to accept long passwords, pre-hash with SHA-256 and bcrypt the hash.

Should I use bcrypt or argon2?

Argon2 for new systems. Bcrypt for existing systems — don't migrate for migration's sake. Both are OWASP-approved for password storage.