Bcrypt is an adaptive password-hashing function based on the Blowfish cipher, designed by Niels Provos and David Mazières in 1999. Unlike simple cryptographic hash functions like SHA-256, bcrypt is intentionally slow and can be made even slower over time as hardware improves—making it resistant to brute-force attacks.
Bcrypt uses the Blowfish symmetric-key block cipher as its underlying primitive. The key setup phase of Blowfish is deliberately expensive—it processes the password through 18,000 iterations of the F-function before any data is processed. This 'key setup cost' (cost factor) determines how computationally expensive hashing becomes.
The cost factor, also called 'salt rounds' or 'log_rounds', controls the exponentiation of 2^rounds. Each additional round doubles the time required to hash. A cost factor of 10 means 2^10 = 1,024 iterations. Modern recommendations suggest cost factor 10–12 for login scenarios, balancing security with user experience.
Bcrypt automatically generates a 128-bit (16-byte) random salt for each hash. This salt is stored as the first 22 characters of the hash output (prefixed with $2a$, $2b$, or $2y$). Even if two users have the same password, their hashes will be completely different due to the unique salt.
SHA-256 is a fast hash function designed for data integrity, not password hashing. Modern GPUs can compute billions of SHA-256 hashes per second, making brute-force attacks trivial. Bcrypt's adaptive cost factor means that even with specialized hardware, cracking bcrypt hashes remains computationally expensive.
Generate secure Bcrypt hashes and verify passwords against existing hashes. Free, fast, and runs entirely in your browser.
Results are estimates based on standard models. Please verify critical data before taking action. Terms of Use