bcrypt is a password hashing function based on the Blowfish cipher. It includes a salt and a cost factor that makes brute-force attacks expensive.

Is verifying my password here safe?

Yes — everything runs in your browser. The password and hash are never sent to a server. Still, be careful using real production hashes on any web page.

100% browser-based · No upload · $2a$ / $2b$ / $2y$

Bcrypt Verify

Verify a plaintext password against a bcrypt hash. Supports the $2a$ , $2b$ , and $2y$ prefixes. Runs entirely in your browser using bcrypt.js — your inputs never leave the page.

Bcrypt verification

Password (plaintext)

Bcrypt hash

Ready

Hash details

Detected prefix

—

Cost factor

—

Salt

—

HMAC Generator

Algorithm

bcrypt

Hash length

Result

—

Status

Ready

Example

Password + bcrypt hash → match?

Bcrypt hashes embed the algorithm prefix, cost, salt, and hash in one 60-character string.

Plaintext password

password123

Bcrypt hash

$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

Use cases

When to use this tool

Bcrypt verification is a common debugging step when working on auth.

Security audits

Confirm that a stored hash matches the expected password during pentests.

Auth debugging

Verify a hash produced by your backend without spinning up the server.

Cross-language sanity check

Compare Node, Python, PHP, and Ruby bcrypt implementations.

Migration verification

Sanity-check legacy hashes before migrating to a new auth system.

Step by step

How to verify a bcrypt hash

Enter the plaintext password

The candidate the user submitted.

Paste the bcrypt hash

The 60-character $2a$ / $2b$ / $2y$ string from your database.

Click Verify

bcrypt.js will re-hash the password with the embedded salt and compare.

Read the result

Green check for match, red cross for no match.

FAQ

Frequently asked questions

What is bcrypt?

bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999. It uses the Blowfish cipher in a key-schedule loop with an adaptive cost factor — so as hardware gets faster, the cost can be raised.

Is verifying here safe?

Yes — everything runs in your browser. The password and hash never leave the page. Even so, be cautious about pasting production hashes into any web tool you do not control.

Can bcrypt be reversed?

No. bcrypt is one-way. Recovery requires guessing candidate passwords and re-hashing them — exactly what attackers do, which is why the cost factor matters.

What do $2a$, $2b$, $2y$ mean?

Different bcrypt implementation prefixes. $2a$ is the classic, $2b$ is the modern fixed-bug variant, $2y$ is a PHP-specific tag. All are compatible with bcrypt.js.

Is it free?

Yes. Runs entirely in your browser. No signup, no upload, no logs.

About

About bcrypt

bcrypt is a password-hashing function based on the Blowfish cipher, designed in 1999 by Niels Provos and David Mazières. It is widely used because it combines three important properties: a built-in salt, an adaptive cost factor, and resistance to GPU-accelerated brute force.

Anatomy of a bcrypt hash

Prefix — $2a$ , $2b$ , or $2y$ identifies the variant.
Cost — a number from 4 to 31 controlling the work factor. Each step doubles the work.
Salt — 22-character base64-encoded random data.
Hash — 31-character base64-encoded output.
Total: 60 characters.

Best practices

Use a cost factor of 12 or higher in 2026.
Never roll your own — use the standard library for your language.
Consider Argon2 for new systems where the runtime is available.