Privvert - private browser-based file toolsPrivvert

Bcrypt Hash & Verify

Passord-hashing

Hash a password

Verify a password

Bcrypt is intentionally slow. Each step up in cost roughly doubles the time. 10-12 is typical for web logins; 14+ for very high security.

Om dette verktøyet

Generate bcrypt password hashes at any cost factor, or verify a plaintext password against an existing bcrypt hash. Bcrypt is the longstanding industry-standard password hashing algorithm, designed to be slow on purpose so brute-force attacks are expensive.

Everything runs locally - passwords and hashes never leave your device. The cost factor (4-14) controls how slow the hash is to compute; higher = slower = more secure but worse user experience on login.

bcrypt is a password-hashing function deliberately designed to be slow - tunable via the cost factor (typically 10-12 in 2026) so attackers cannot brute-force millions of guesses per second on modern GPUs. Privvert runs bcrypt in WebAssembly with a configurable cost so you can test how long verification takes on your target hardware before shipping a new value to production.

Funksjoner

  • Cost factor 4-14
  • Generate and verify in one tool
  • 100% in-browser via bcryptjs
  • Copy hashes with one click
  • Real-time verify result (match / no match)
  • Browser-only - passwords never logged or sent
  • Free and unlimited

Slik bruker du det

  1. Type a password and pick a cost factor.
  2. Click Generate hash and copy the result.
  3. To verify, paste an existing hash and a candidate password.
🔒 100 % privat

Alt skjer inne i nettleseren din med JavaScript og WebAssembly. Filene dine lastes aldri opp, lagres aldri og ses aldri av oss.

Ofte stilte spørsmål

What cost should I use?

10-12 is typical for web logins. Higher = slower = more secure but worse UX. A cost-of-12 hash takes about 250 ms on a modern server, which is the right ballpark for password checking.

Bcrypt vs Argon2?

Argon2 is the modern winner of the password hashing competition (2015) and is the recommended choice for new systems. Bcrypt is older but still safe and very widely supported. Both are infinitely better than plain SHA-256 of a password.

Why is hashing slow?

Slowness is the whole point - it makes offline brute-force attacks expensive. A cost of 12 means each guess takes ~250 ms; an attacker testing a billion passwords would need years.

Can I verify a hash from PHP/Python/Ruby?

Yes - bcrypt is a standard format. Hashes generated by any bcrypt implementation can be verified by any other.

What cost factor should I use in 2026?

12 is the current sweet spot for web apps: ~250 ms per hash on a modern server, slow enough to resist offline attacks, fast enough not to be a DoS vector. Cost 14+ is appropriate for highly sensitive systems where a 1-2 second login delay is acceptable.

Why bcrypt instead of SHA-256?

Fast hashes like SHA-256 are designed for speed - exactly the wrong property for password storage. A modern GPU can compute billions of SHA-256 hashes per second, making brute force trivial. bcrypt (and argon2, scrypt) are designed to be slow so attackers cannot scale. See the passwords article for context on why this matters.