Bcrypt / Hash Generator
Generate secure hashes for passwords and data. Supports bcrypt, SHA-256, SHA-512, and MD5 algorithms with customizable parameters, salt generation, and verification.
Bcrypt / Hash Generator
Generate secure hashes for passwords and data. Supports bcrypt, SHA-256, SHA-512, and MD5 algorithms with customizable parameters.
Never enter real passwords on public sites. Use test passwords only.
Fast (4)Default (10)Slow (15)
Higher rounds = More secure but slowerHash Algorithm Comparison
| Algorithm | Type | Security Level | Speed | Output Size | Primary Use | Introduced |
|---|---|---|---|---|---|---|
| bcrypt | Password hashing | Very High | Slow (by design) | 60 characters | Passwords storage | 1999 |
| SHA-256 | Cryptographic hash | High | Fast | 64 characters | Data integrity, SSL/TLS | 2001 |
| SHA-512 | Cryptographic hash | Very High | Fast | 128 characters | Strong data hashing | 2001 |
| MD5 | Message digest | Broken | Very Fast | 32 characters | Checksums only | 1992 |
Password Hashing Best Practices
Modern Password Storage
Do:
- Use bcrypt, Argon2, or PBKDF2
- Set appropriate work factor
- Use unique salt per password
- Store complete hash string
- Implement rate limiting
Don't:
- Use MD5, SHA-1 for passwords
- Store passwords in plain text
- Use the same salt for all users
- Create custom hash algorithms
- Disclose hash algorithm publicly
Bcrypt Hash Structure
$2b$10$N9qo8uLOickgx2ZMRZoMye.I8sgJ6aM.4RMGNXqV7BN.ZIFHqRCMK ││ ││ │ │ ││ ││ │ └── Hash (31 chars) ││ ││ └──────────────────────────── Salt (22 chars) ││ │└────────────────────────────── Cost factor (10 = 2^10 iterations) ││ └──────────────────────────────── Algorithm version (b = bcrypt) │└────────────────────────────────── Algorithm identifier (2 = bcrypt) └─────────────────────────────────── Format identifier
The bcrypt hash includes everything needed for verification: algorithm version, cost factor, salt, and hash.
Security Checklist
Cost Factor Guidelines
| Rounds | Iterations | Time* | Use Case |
|---|---|---|---|
| 8 | 256 | ~10ms | Development |
| 10 | 1024 | ~100ms | Default |
| 12 | 4096 | ~400ms | Production |
| 14 | 16384 | ~1.6s | High security |
Frequently Asked Questions
Password hashing is a one-way cryptographic function that converts passwords into fixed-length strings. It's designed to be irreversible, so the original password cannot be retrieved from the hash.
bcrypt is specifically designed for passwords with built-in salt and adjustable work factor (slowness) to resist brute-force attacks. SHA-256 is fast and designed for general data integrity, making it vulnerable to rainbow table attacks for passwords.
A salt is random data added to the password before hashing. It ensures that identical passwords produce different hashes, preventing rainbow table attacks and making brute-force attacks much more difficult.
The cost factor (2^rounds) determines how many iterations bcrypt performs. Higher values make hashing slower and more resistant to brute-force attacks, but also increase CPU usage. Default is 10 (2^10 = 1024 iterations).
No, MD5 is cryptographically broken and should never be used for passwords or security applications. It's fast and produces collisions easily. Only use MD5 for non-security purposes like checksums.
Use bcrypt.compare() function (or equivalent in your language) that handles the salt extraction and comparison automatically. Never extract and compare salts manually.
Passwords: bcrypt, Argon2, or PBKDF2. Data integrity: SHA-256 or SHA-512. Fast checksums: SHA-1 or MD5 (non-security). File verification: SHA-256 or SHA-512.
Store the complete hash string (including salt and algorithm identifier). For bcrypt, store the entire 60-character string. Never store plain text passwords or decryptable passwords.
Rainbow tables are precomputed tables of password-hash pairs. Salting prevents these attacks by ensuring each password has a unique salt, making precomputed tables useless.
