Hash a password with bcrypt and verify a password against a bcrypt hash, entirely in your browser.
How to use the Bcrypt
Choose Hash to create a hash, or Verify to check one.
Enter a password, and a hash when verifying.
Read the bcrypt hash or the match result.
A bcrypt tool that hashes a password at a cost you choose, and verifies a password against an existing bcrypt hash. Everything runs locally in your browser, so passwords stay on your device.
Bcrypt is an adaptive password-hashing function designed specifically for storing passwords. Unlike a fast hash such as SHA-256, it is deliberately slow and includes a built-in salt, which is exactly what you want when defending stored passwords.
The cost factor (the rounds) sets how much work each hash takes. Every extra round doubles the computation, so raising the cost makes large-scale brute-force and GPU attacks far slower, while a single login stays fast enough. A value of 10 to 12 is a common choice.
Bcrypt mixes a random salt into every hash, so the same password produces a different hash each time. That defeats precomputed rainbow tables, and verification still works because the salt is stored inside the hash itself.
To check a password, the verify mode reads the salt and cost out of the stored hash, hashes the candidate the same way, and compares, which is why you only need the hash and the password, not the original salt.
Hashing and verifying run entirely in your browser, so nothing is uploaded. Even so, avoid pasting real production passwords on a shared computer.
Frequently asked questions
The cost factor: each extra round doubles the work needed to compute the hash, making brute-force attacks slower. 10 to 12 is a common choice.
Bcrypt includes a random salt in every hash, so the output differs even for the same password. Verification still works because the salt is stored inside the hash.
Hashing runs entirely in your browser, so passwords are not uploaded. Still, avoid pasting real production passwords on shared computers.
10 to 12 suits most applications. Higher is more resistant to brute force but slower for every login, so balance security against the delay users will accept.
Yes. SHA-256 is fast, which helps attackers guess passwords quickly. Bcrypt is deliberately slow and salted, which is what password storage needs.
Embed this tool
Add this tool to your own website. Copy the snippet below; it stays up to date automatically.
<iframe src="https://monu.tools/embed/en/bcrypt-generator" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>Learn more
How Passwords Should Be Stored: Salting, bcrypt, and Why Not SHA-256
Why a fast hash like SHA-256 is wrong for passwords, what a salt does, and why bcrypt, scrypt, and Argon2 are the right tools.
Base64 Explained: Why Encoding Is Not Encryption
What Base64 actually does, why it makes data about a third larger, when to use it, and why it protects nothing on its own.
URL Encoding Explained: When and Why to Percent-Encode
Why URLs use %20 and other percent codes, which characters are safe, and when to reach for encodeURIComponent instead of encodeURI.
How to Read a JWT, and Why Decoding Is Not Verifying
A JWT is three Base64url parts anyone can read. Learn how to decode one, what each part means, and why decoding proves nothing.
Hashing vs Encryption: What a Hash Can and Cannot Do
Hashing is one-way and keyless; encryption is two-way and needs a key. Learn the difference, why you cannot decrypt a hash, and when to use each.
How Webhook Signatures Work: HMAC, Shared Secrets, and Timing-Safe Checks
How Stripe and GitHub prove a webhook is genuine using HMAC and a shared secret, and the timing-safe comparison most developers get wrong.
Related tools
Encode text to Base64 or decode Base64 back to text. UTF-8 safe with automatic direction detection.
Percent-encode and decode URLs and URL components, UTF-8 safe.
Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.