← ← All Tools
中文

🔐 BCrypt Hash Generator & Verifier

Client-side BCrypt password hash toolkit with three tabs: Generate (cost 4-15, $2a/$2b/$2y version selector, 3 output formats), Verify (auto-parses cost/version with OWASP guidance), and Inspect (dissect any bcrypt hash into prefix/cost/salt/hash). Real-time 72-byte truncation warning, progress bar, cancel button, and mobile-friendly chip controls.

0 / 72 bytes

OWASP 2026 recommends cost ≥ 12

💡 Why does OWASP 2026 recommend Argon2id first?

OWASP Password Storage Cheat Sheet 2026 recommended order:

  1. Argon2id — First choice. Memory-hard, resistant to GPU / ASIC attacks
  2. bcrypt — Mature ecosystem, legacy compatibility. cost ≥ 12
  3. PBKDF2 — FIPS compliance scenarios
  4. scrypt — Acceptable alternative

Real-world bcrypt pitfall: silent 72-byte truncation (UTF-8 Chinese hits the limit at just 24 characters). Real auth bypass incidents at FreshRSS, Mealie, and others. Prefer Argon2id for greenfield systems.

More tools you might find useful.

🔐
AES Encrypt/Decrypt
Client-side AES encryption and decryption with GCM, CBC, and CTR modes, PBKDF2 passphrase derivation and raw key input — keys are not uploaded by the tool
🔐
DES / 3DES Encrypt & Decrypt
Client-side DES and 3DES (2-key/3-key) encryption & decryption with zero dependencies. Supports five modes (ECB/CBC/CFB/OFB/CTR) and five padding schemes (PKCS#7/Zero/ANSI X.923/ISO 10126/No Padding). Independent encoding switchers for Key/IV/Input/Output (Hex/UTF-8/Base64), real-time byte-length hints, built-in NIST test vectors, persistent deprecation banner (DES 2005, 3DES Jan 2024), and K1/K2/K3 key visualization. For education and legacy interop only — keys and plaintext are not uploaded by the tool.
#️⃣
Hash Generator
MD5 & SHA Hash Calculator
🔐
HMAC Calculator
Client-side HMAC calculator with SHA-1/256/384/512, UTF-8/Hex/Base64 key formats, text & file input, and HMAC verification
🔐
htpasswd Generator
Generate local htpasswd lines for Apache/Nginx Basic Auth with bcrypt, apr1, and SHA-1 output

Free online BCrypt password hash generator and verifier with three modes: Generate (enter password + cost factor 4-15 + $2a/$2b/$2y version selector → bcrypt hash output as raw / user:hash / JSON format), Verify (enter password and hash for automatic match check with parsed cost and version plus OWASP 2026 guidance), and Inspect (paste any bcrypt hash string for four-segment color-coded breakdown of prefix/cost/salt/hash). Key features: browser-side computation powered by the mature bcryptjs 3.x library with lazy loading. Your password, salt, and hash are not uploaded by the tool and are not persisted to localStorage. Built-in real-time 72-byte counter (UTF-8 Chinese hits the limit at just 24 characters, preventing FreshRSS-style authentication bypass pitfalls), mobile-optimized cost chip controls, progress bar with cancel button (bcryptjs cooperatively yields every 100ms keeping UI responsive), automatic version prefix rewriting with honest algorithm-equivalence disclosure (all three prefixes produce identical algorithm output and only differ by consumer compatibility), and OWASP 2026 Argon2id upgrade guidance. Ideal for seeding test accounts, debugging login issues, validating legacy hash formats during system migrations, and studying bcrypt cryptography. Optimized for both desktop and mobile with 44px touch targets, dark mode support, and prefers-reduced-motion respected.