What Is Bcrypt? A Complete Guide to Password Hashing

23 Jun 2026 488 words
Also available in: ๐Ÿ‡ฉ๐Ÿ‡ช DE ๐Ÿ‡ช๐Ÿ‡ธ ES ๐Ÿ‡ฎ๐Ÿ‡ฉ ID ๐Ÿ‡ฏ๐Ÿ‡ต JA ๐Ÿ‡ต๐Ÿ‡น PT

What Is Bcrypt?

Bcrypt is a password hashing function designed by Niels Provos and David Maziรจres in 1999, based on the Blowfish cipher. It is one of the most widely recommended algorithms for securely storing passwords. Unlike fast hashing algorithms like MD5 or SHA-256, Bcrypt is deliberately slow and computationally expensive, making it resistant to brute-force and rainbow table attacks.

The key innovation of Bcrypt is its adaptive cost factor โ€” also known as the work factor or rounds. As hardware becomes faster over time, the cost factor can be increased to maintain resistance against attacks. This built-in future-proofing is why Bcrypt remains a top choice for password storage decades after its creation.

How Bcrypt Works

Bcrypt incorporates several security mechanisms:

Salt generation. Bcrypt automatically generates a random 16-byte salt for each password. This ensures that identical passwords produce different hashes, preventing rainbow table attacks and making it impossible to identify users who share the same password.

Cost factor. The cost factor (usually denoted as 2^rounds) determines how many iterations of the key derivation function are performed. A cost of 10 means 2^10 = 1,024 iterations. Each additional round doubles the computational work, making brute-force attacks exponentially harder.

Blowfish cipher integration. Bcrypt uses the Blowfish cipher's key schedule to perform the hashing, which requires significant memory and computation โ€” characteristics that make hardware-accelerated attacks impractical.

A Bcrypt hash typically looks like this:

$2b$10$3euPcmQFCiblsZeEu5s7p.9vHnhJ3X7e3Qh7vA7z6YnF5qX5Q5aK

Breaking this down:

  • $2b$ โ€” Algorithm version (2a, 2b, 2x, 2y)
  • 10 โ€” Cost factor (2^10 iterations)
  • 3euPcmQFCiblsZeEu5s7p. โ€” 22-character salt (base64 encoded)
  • 9vHnhJ3X7e3Qh7vA7z6YnF5qX5Q5aK โ€” 31-character hash

Why Bcrypt Is Recommended

Adaptive difficulty. Increase the cost factor as computing power grows. A hash that takes 0.1 seconds to compute today will still be secure in 10 years.

Built-in salting. No need to manage salts separately. Bcrypt handles everything automatically.

Widely supported. Bcrypt is available in virtually every programming language and framework.

Extensively audited. Two decades of cryptanalysis have found no practical vulnerabilities in Bcrypt when used correctly.

Bcrypt Best Practices

  1. Use a cost factor of 10-12. For most applications, cost 10 provides a good balance of security and performance. Increase it as your server hardware improves.
  2. Always use the latest revision. Use $2b$ or $2y$ (PHP-specific) instead of the older $2a$.
  3. Never implement Bcrypt yourself. Use well-vetted libraries in your language of choice.
  4. Combine with HTTPS. Always hash passwords over encrypted connections.

Generate Bcrypt Hashes Online

If you need to test Bcrypt hashing or generate hashes for development purposes, our free Bcrypt Generator lets you hash passwords instantly with a configurable cost factor. It is perfect for developers setting up test databases, verifying implementations, or learning how Bcrypt works.

Bcrypt remains one of the most trusted password hashing algorithms available. Its adaptive design, automatic salting, and proven security make it the right choice for protecting user credentials in any application.

About this article

Learn what Bcrypt is, how it works, and why it is one of the most trusted algorithms for password hashing. A complete guide with security best practices.

Related Articles

Related Tools

Bcrypt Generator