Each +1 doubles the work. 10–12 is a good default.
Hashing and verification run entirely in your browser with bcryptjs — nothing is uploaded.
Generate and verify bcrypt password hashes online, free. bcrypt is an adaptive password-hashing function based on the Blowfish cipher (Provos & Mazières, 1999) with a tunable cost factor that makes brute-forcing deliberately slow. This tool generates a salted bcrypt hash from a password — or checks a password against an existing hash — entirely in your browser.
Every hash includes a random salt and an adjustable cost factor, the modern standard for storing passwords safely (OWASP-recommended). 100% free, no registration, and complete privacy — everything runs locally in your browser, so your data never touches a server.
bcrypt embeds a unique random salt in every hash, so identical passwords produce different hashes and rainbow-table attacks fail.
Raise the work factor to make each hash slower to compute, keeping brute-force attacks expensive as hardware improves.
Create a hash from a password, or verify a candidate password against an existing $2b$ hash.
Hashing runs locally in your browser — passwords and hashes are never uploaded, logged, or stored.
No. bcrypt is a one-way hashing function — you cannot recover the original password from the hash. You can only verify a candidate password by hashing it the same way and comparing.
Pick the highest value your server can tolerate for a login (commonly 10–12). Higher cost = slower hashing = harder brute-force, but also more CPU per login. Re-evaluate as hardware gets faster.
Because bcrypt generates a new random salt each time. That salt is stored inside the hash string, so verification still works while rainbow-table attacks don't.
No. Hashing and verification happen entirely in your browser; nothing you type is uploaded, logged, or stored.
bcrypt is a solid, widely supported choice. OWASP also lists Argon2id and scrypt as strong modern options; the key is a salted, slow, adaptive hash — never a plain MD5/SHA hash.