Home Tools Blog About

bcrypt: How Password Hashing Works

by

bcrypt is a password hashing function designed to be slow on purpose, which is exactly what makes it good at protecting passwords. Instead of storing a password, a system stores its bcrypt hash, a fingerprint that cannot be reversed but can be checked. This guide explains how bcrypt works, why slowness is a feature, the role of the salt, and a free tool to generate a bcrypt hash in your browser.

In this guide

Why hash a password

Storing passwords as plain text is dangerous: one database leak exposes every account. Hashing solves this by turning a password into a fixed string that cannot be turned back. When a user logs in, the system hashes what they typed and compares it to the stored hash, so the real password is never kept. The wider idea of hashing is in our hashing basics guide.

Why slow is good

General-purpose hashes are fast, which is a problem for passwords, because an attacker can try billions of guesses per second against a leaked database. bcrypt is deliberately slow and has a tunable cost factor, so each guess takes meaningful time. Raising the cost as hardware improves keeps it slow for attackers without inconveniencing a single legitimate login.

The salt

bcrypt adds a random salt to each password before hashing, and stores the salt with the hash. This means two users with the same password get different hashes, which defeats precomputed lookup tables and stops an attacker from cracking many accounts at once. The salt is not secret; its job is simply to make every hash unique.

Generate a bcrypt hash

The bcrypt generator produces a hash from any input in your browser, with a cost factor you can set, so you can see what a stored password hash looks like and test against it. Because it runs locally, the password you hash is never sent anywhere.

bcrypt versus plain hashes

A fast hash such as a general checksum is right for verifying file integrity but wrong for passwords, since speed helps the attacker. bcrypt, and similar slow hashes built for the job, are the correct choice for passwords. Using a fast hash to store passwords is one of the most common and damaging security mistakes.

Free tools used in this guide

Frequently asked questions

What is bcrypt?

A password hashing function designed to be slow, so that storing a password as a bcrypt hash protects it even if the database leaks.

Why is bcrypt deliberately slow?

Because slowness limits how many guesses an attacker can try per second against a leaked hash, while barely affecting a real login.

What is a salt?

A random value added to each password before hashing, stored with the hash, so identical passwords produce different hashes.

Can a bcrypt hash be reversed?

No. It is a one-way function, so the only way to find the password is to guess and hash, which the slow design makes impractical.

Should I use a fast hash for passwords?

No. Fast hashes help attackers guess quickly. Use a slow hash built for passwords, such as bcrypt.

Related guides

ATV

Written by Nick (ATV Team)

We build and maintain the 600+ free, client-side tools on this site, and every guide is written against the tools themselves: each figure is computed and checked before it is published, and every linked tool is tested in the browser. More about how we work on the about page, and the full library of guides lives on the blog.