Logo

MonoCalc

/

bcrypt Hash Verifier

Encode/Decode

About This Tool

🔐 bcrypt Hash Verifier – Secure Password Hashing in Your Browser

The bcrypt Hash Verifier is a fully client-side tool for working with bcrypt password hashes. Whether you need to verify a password against a stored hash, generate a new hash for testing, inspect the internal structure of a bcrypt string, or benchmark cost factors on your device — everything runs in your browser using the bcryptjs library. No passwords or hashes are ever sent to a server.

What Is bcrypt?

bcrypt is an adaptive password-hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish block cipher. Unlike general-purpose hash functions such as MD5 or SHA-256, bcrypt is intentionally slow — its configurable cost factor controls how many iterations are performed (2cost), allowing you to scale computational cost as hardware improves. This makes bcrypt highly resistant to brute-force and dictionary attacks.

Understanding the bcrypt Hash Format

A bcrypt hash is a 60-character string with a well-defined structure. Here is an example:

$2b$12$eImiTXuWVxfM37uY4JANjQlJaT6jqQkjzFQA5pqfMEIe5GmWqWrmy
SegmentValueDescription
$2b$Version prefixAlgorithm identifier — 2b is the current standard
12Cost factor2¹² = 4,096 key-setup iterations
eImiTXuWVxfM37uY4JANjQSalt (22 chars)Random 128-bit salt encoded in base64url
lJaT6jqQkjz…Digest (31 chars)23-byte hash output encoded in base64url

Five Modes Explained

1. Verify

Paste a plain-text password and a stored bcrypt hash, then click Verify Password. The tool runs bcrypt.compare() in the browser, returning a clear ✅ Match or ❌ No Match result along with the wall-clock time taken — useful for calibrating expected authentication latency.

2. Generate

Enter a password, choose a cost factor (4–31, default 12) and an algorithm variant ($2b$ recommended). Click Generate Hash to produce a new, randomly-salted bcrypt hash ready for copying into your application or database seed script.

3. Inspect

Paste any bcrypt hash to get a colour-coded structural breakdown showing its version, cost factor, computed iteration count, embedded salt, and hash digest — great for debugging or learning how bcrypt strings are composed.

4. Benchmark

Run a timing test across cost factors 8–14 on your own device. A bar chart shows how long each cost takes, helping you pick a value where hashing takes ≥1 second — the OWASP-recommended minimum for production password storage. Remember that your server hardware may be faster than your browser.

5. Bulk Verify

Provide a newline-separated list of up to 50 passwords and a single stored hash. The tool verifies each password in sequence, producing a match/no-match table — useful for regression testing authentication seed scripts or confirming which test account passwords are valid.

Security Notes and Best Practices

  • Use cost 12 or higher — OWASP recommends a minimum work factor of 12 (adjusted annually as hardware improves).
  • bcrypt truncates at 72 bytes — any input beyond 72 UTF-8 bytes is silently ignored. This tool warns you when your password exceeds this limit.
  • Prefer $2b$ — the $2a$ variant has a known bug with non-ASCII characters. New implementations should always use $2b$.
  • Never use MD5 or SHA for passwords — these are general-purpose hash functions designed to be fast, making them trivially brute-forceable. Use bcrypt, Argon2, or scrypt for password storage.
  • Use test credentials only — while this tool is fully client-side, treat any online tool with caution and avoid entering real production passwords.

When to Use bcrypt vs. Other Password Hashing Algorithms

bcrypt remains a solid choice for password hashing in most applications. For extremely high-security environments or when you need memory-hardness (resistance to GPU/ASIC attacks), consider Argon2id (the 2015 Password Hashing Competition winner) or scrypt. Both provide tunable memory cost in addition to time cost. However, bcrypt has outstanding library support across all major languages and frameworks, making it the most practical default for the vast majority of web applications.

💡 Tip: All operations in this tool run entirely in your browser — no network requests are made. You can verify this by opening your browser's DevTools Network tab while using the tool.

Frequently Asked Questions

Is the bcrypt Hash Verifier free?

Yes, bcrypt Hash Verifier is totally free :)

Can I use the bcrypt Hash Verifier offline?

Yes, you can install the webapp as PWA.

Is it safe to use bcrypt Hash Verifier?

Yes, any data related to bcrypt Hash Verifier only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is bcrypt and how does it work?

bcrypt is an adaptive password-hashing algorithm based on the Blowfish cipher. It incorporates a configurable cost factor that controls how computationally expensive the hash is (2^cost iterations), making it highly resistant to brute-force attacks. Unlike MD5 or SHA, bcrypt is deliberately slow, which is a security feature.

How does the bcrypt Hash Verifier work?

Enter a plain-text password and a stored bcrypt hash, then click Verify. The tool uses the bcryptjs library entirely in your browser — no data is ever sent to a server. You can also generate new hashes, inspect hash structure, benchmark cost factors on your device, or verify multiple passwords at once.

Is it safe to use this tool with real passwords?

All computation runs entirely client-side in your browser using the bcryptjs library. Your passwords and hashes are never transmitted to any server. However, as a best practice, avoid entering production credentials in any online tool — use test or dummy passwords instead.

What cost factor should I choose for bcrypt?

OWASP recommends a minimum cost factor of 12, adjusted so hashing takes at least 1 second on your server hardware. Higher cost means more security but slower response times. Use the Benchmark tab to measure how long each cost factor takes on your device, then apply that knowledge to your server configuration.

Why does bcrypt truncate passwords at 72 characters?

bcrypt's internal algorithm uses the Blowfish cipher key schedule, which limits input to 72 bytes. Characters beyond the 72nd byte are silently ignored. This tool warns you when your password exceeds this limit. If you need to support longer passwords, consider pre-hashing with SHA-256 before bcrypt, though this approach has trade-offs.

What is the difference between $2a$, $2b$, and $2y$ bcrypt variants?

$2b$ is the current, correct bcrypt specification and is recommended for all new implementations. $2a$ was the original specification that contained a bug in handling non-ASCII characters. $2y$ is a PHP-specific variant equivalent to $2b$. This tool supports all three variants for compatibility when working with existing systems.