AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Generate bcrypt password hashes with adjustable cost factor (salt rounds).
Bcrypt is the industry standard for password hashing. It incorporates a salt and an adjustable cost factor to resist brute-force and rainbow table attacks.
Bcrypt is a password hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher. It is the most widely used password hashing algorithm and is the default for many frameworks including Laravel, Ruby on Rails, Django, and Node.js.
Bcrypt was designed to be computationally expensive and adaptively slow. The cost factor (also called salt rounds) controls how many iterations of the key derivation function are performed. Each increment of the cost factor doubles the time required to compute a single hash — making it progressively harder for attackers to brute-force passwords even as hardware improves.
A bcrypt hash has this structure:
$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
$2y$ — Algorithm prefix (2a, 2b, or 2y for different implementations)10$ — Cost factor (210 = 1024 iterations)The total hash is always 60 characters long.
password_hash() function.| Cost | Iterations (2cost) | Approx. Time | Recommendation |
|---|---|---|---|
| 4 | 16 | < 1 ms | Too fast, not recommended |
| 8 | 256 | ~5 ms | Minimum acceptable |
| 10 | 1,024 | ~50 ms | Default — good balance |
| 12 | 4,096 | ~200 ms | Recommended for production |
| 14 | 16,384 | ~800 ms | High security, slower UX |
| 16+ | 65,536+ | > 3 seconds | Extreme security only |
Yes. Bcrypt remains one of the most widely recommended password hashing algorithms. For new applications, many security experts now recommend Argon2id (the OWASP-recommended algorithm), but bcrypt is still a strong choice with excellent library support. The key is to choose an adequate cost factor — at least 10, preferably 12.
These prefixes indicate different bcrypt implementations. $2a$ is the original format. $2x$ and $2y$ are PHP-specific variants that fix a bug in how PHP's crypt() function handled certain characters. Laravel and modern PHP use $2y$. All variants are interoperable for verification purposes.
Yes! Use PHP's password_verify($password, $hash) function. This tool only generates hashes. For verification, use our Hash Checker tool or verify directly in your application code.
Bcrypt automatically generates a random salt for every hash operation. Even if you hash the same password twice, the two hashes will be completely different because they use different salts. When verifying, bcrypt extracts the salt from the stored hash and uses it to recompute the hash from the provided password.
PHP's bcrypt implementation truncates passwords at 72 characters. Any characters beyond 72 are silently ignored. For longer passwords, consider using Argon2id or pre-hashing the password with SHA-256 before passing it to bcrypt.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026