Bcrypt Hashing

Est. read: 7 minDeveloper

Hashed password blocks representing bcrypt output

Summary

Definition: Bcrypt is a password hashing algorithm designed to be slow and resist brute-force attacks.

Why it matters: Slow hashing raises the cost of cracking stolen password databases.

Pitfall: Bcrypt is not encryption and cannot protect arbitrary data.

Guide start

Bcrypt is built for password storage. It is intentionally slow, which makes offline guessing expensive.
Verification works by hashing the input again using parameters stored in the hash.

Key terms

Bcrypt: Password hashing function optimized to be slow.
Cost factor: Work parameter controlling bcrypt runtime.
Salt: Random value embedded in the bcrypt hash.
Verification: Re-hashing input and checking for a match.

If you need...

Need	Use
Hash a password	Bcrypt Hash
Verify a password	Verify Bcrypt
Encrypt data	Use encryption tools
Generate passwords	Password Generator

Safe default (2026)

Choose the highest cost that keeps hashing under ~250 ms on production hardware and rehash on login.

How bcrypt works

Bcrypt hashes passwords using a built-in salt and an adjustable cost factor. The salt and cost are stored inside the hash string.

Bcrypt hashing flow

Accept the plaintext password.
Generate a random salt automatically.
Apply the cost-controlled bcrypt function.
Store the resulting hash string.

Bcrypt stores the algorithm version, cost, salt, and hash together in one string.

Passwords longer than 72 bytes are truncated by bcrypt implementations.

Hashing vs encryption

Hashing

One-way, for password storage.

Encryption

Reversible, for data protection.

Bcrypt

Password hashing with built-in salt.

Common mix-up: You cannot decrypt a bcrypt hash; you must verify it.

Verification and upgrades

During login, bcrypt extracts the salt and cost from the stored hash and verifies the password internally.

If a user logs in successfully and the stored hash uses a low cost, rehash it with a higher cost and replace it.

Bcrypt defends against offline attacks; rate limiting is still required for online logins.

Quick example

Example

Hash a password, store the hash, and verify during login.

Bcrypt flow

password -> bcrypt hash -> store hash
login password -> bcrypt verify -> true or false

Use with Encrypt Online

Use Bcrypt Hash to generate a bcrypt hash.
Use Verify Bcrypt to check a password.
Use Password Generator to create strong inputs.

Practical check

Hash a sample password with bcrypt.
Verify the same password against the hash.
Confirm a wrong password fails verification.
Increase the cost and rehash on success.

FAQ

Can I decrypt a bcrypt hash? No. Hashing is one-way; you can only verify by hashing the input and comparing internally.

What cost factor should I use? Use the highest cost that keeps hashing under ~100–250 ms on your production systems.

Is bcrypt still safe? Yes for many systems, but consider Argon2 where memory-hard hashing is supported.

Password Generator Best Practices

Guide end - You can now hash and verify passwords using bcrypt safely.Back to top