Crypto
BCrypt Calculation
Calculate bcrypt hash for input value.
| Text | |
|---|---|
| Rounds |
※Hash is calculated on your web browser. Neither input text and calculated hash are sent to our server.
Tips
- BCrypt automatically adds a salt, so the same input produces a different hash each time it is hashed.
- Increasing the round count (cost factor) raises the computational cost, improving resistance to brute-force attacks. A value of 10–12 is generally recommended.
- In PHP, use
password_hash($password, PASSWORD_BCRYPT); in Ruby, use thebcrypt-rubygem to generate equivalent hashes. - The leading
$2y$in the hash value is the algorithm identifier; the number that follows is the round count. - Consider also the newer Argon2 (supported since PHP 7.2) as another suitable algorithm for password storage.
Side Note — The Battle of Passwords and Hashes: Why BCrypt Is Chosen
In the 2012 LinkedIn breach, approximately 6.5 million passwords were stored using only SHA-1 without a salt, and most were cracked within days via rainbow table attacks. This incident served as a major wake-up call for password storage design.
A modern high-performance GPU (e.g., NVIDIA RTX 4090) can compute MD5 approximately 68 billion times per second. BCrypt is intentionally designed to be computationally expensive — at round count 12, it is limited to a few thousand computations per second — giving it dramatically better resistance to brute-force attacks. With the same hardware, you could try 68 billion MD5 attempts per second, but only a few thousand BCrypt attempts. That difference is critical.
BCrypt was originally designed for OpenBSD in 1999. More than 20 years later, it remains in active use and, alongside the newer Argon2 (supported since PHP 7.2), is one of the standard choices for password storage.