bcrypt calculator - Aaron Graves, PhDude Replica

bcrypt Hash & Cost Calculator

Generate bcrypt hashes, test password verification, and estimate cost-factor impact directly in your browser.

Password / Plain Text

Cost Factor (work factor)

For browser speed, this tool caps cost at 16. Typical production values are 10–14 depending on your server performance targets.

Optional Salt String (advanced)

Leave empty to auto-generate a secure salt.

Verify Password Against a bcrypt Hash

Password to Test

bcrypt Hash

Cost Factor Estimator

Given a measured runtime at cost 10, estimate a suitable cost factor for your target runtime.

Measured time at cost 10 (milliseconds)

Target hash time (milliseconds)

What This bcrypt Calculator Does

This tool helps you work with bcrypt in three practical ways: generate a hash, verify a password against an existing hash, and estimate a cost factor that balances security with login performance. It is useful for developers building authentication systems, security learners, and teams tuning password-hashing policy.

Why bcrypt Is Still Important

bcrypt is designed specifically for password hashing. Unlike fast general-purpose hashing algorithms, bcrypt is intentionally slow and adaptive. That “adaptive” part means you can increase the cost factor over time as hardware improves.

Salted by design: each hash includes a random salt to prevent rainbow-table attacks.
Configurable cost: increasing cost makes brute-force attacks more expensive.
Battle-tested: widely used across frameworks and platforms for years.

How to Use This Page

1) Generate a Hash

Enter a password, pick a cost factor, and click Generate bcrypt Hash. The generated hash includes version, cost, salt, and hash value in a single string.

2) Verify a Password

Paste any valid bcrypt hash into the verify section, enter a candidate password, and click Verify. You will immediately see whether the password matches.

3) Estimate a Practical Cost

If your baseline measurement at cost 10 is known, use the estimator to choose a target cost that fits your latency budget. A common goal is to keep hashing expensive enough for attackers while still acceptable for real users.

Choosing a Good Cost Factor

There is no universal “best” cost factor. The right value depends on your infrastructure and acceptable authentication delay. A useful starting point is to benchmark on production-like hardware and target a per-hash runtime roughly between 100 and 500 ms.

High-traffic apps may need lower cost to protect throughput.
Admin portals and high-risk contexts may justify higher cost.
Re-test annually and increase the cost when hardware allows it.

Security Best Practices Beyond bcrypt

Use TLS everywhere (passwords should never travel in clear text).
Add rate limiting and account lockout controls to slow online attacks.
Consider a server-side pepper in addition to per-password salts.
Enable MFA for sensitive accounts.
Keep dependencies and authentication libraries patched.

Common Mistakes to Avoid

Using a fast hash algorithm (like SHA-256 alone) for password storage.
Hard-coding one shared salt for all users.
Setting bcrypt cost too low and never revisiting it.
Building custom crypto without peer-reviewed libraries.

Final Takeaway

A good password storage strategy is not just “hash and forget.” It is an ongoing policy decision combining algorithm choice, cost tuning, monitoring, and periodic upgrades. Use this bcrypt calculator to validate your assumptions, test quickly, and make evidence-based security decisions.