Crypto
BCrypt Validation
Validate the hash is calculated from the text.
| Hash | |
|---|---|
| Text |
Success
Failure
Tips
- BCrypt embeds the salt in the hash, so even though the hash value differs each time, it will be judged as a match if it was generated from the same original input.
- This tool verifies using the same mechanism as PHP's
password_verify($password, $hash). - When comparing a hash retrieved from a database with an entered password, use a dedicated verification function rather than a plain string comparison (
==) to prevent timing attacks. - Hash values starting with
$2a$can also be verified as BCrypt.
Side Note — Behind Authentication: What Those Few Hundred Milliseconds on Login Are
When you press the login button on a web service, part of those few hundred milliseconds before the result comes back is the time BCrypt spends computing the password hash. That delay is intentional — done for security.
A Timing Attack is a type of side-channel attack where an attacker infers secret information by measuring subtle differences in processing time. When a password is verified with a plain string comparison (==), the comparison time varies slightly depending on where the characters stop matching. BCrypt's verification function is designed to run in constant time, making it safe against this attack.
In real web applications, it is recommended to return a response in the same amount of time whether or not the user exists, as if the user exists but the password is wrong. If an attacker can distinguish "user does not exist" from "wrong password," it gives them a hint to identify valid usernames.