What is the "cost factor"?

**The number after `$2b$`**, e.g. **`$2b$12$`** means cost = 12. That's **2^cost rounds of hashing**. Cost 10 = 1024 rounds, 12 = 4096, 14 = 16384. **2026 standard**: **12-13** (~250 ms per hash, acceptable login latency but brutal for an attacker with billions of attempts).

Why does the same password give different hashes?

Because bcrypt adds a **random salt** (16 bytes = 22 chars in bcrypt-base64). The hash contains **salt + result**. The verifier extracts the salt, hashes the password with that salt, compares. **This blocks rainbow tables**.

`$2a$` vs `$2b$` vs `$2y$`?

Three prefix variants: - **`$2a$`**: original version (2010) - **`$2b$`**: fixed in 2014 (bug with passwords >72 bytes) - **`$2y$`**: PHP-specific variant from 2011, today an alias for `$2b$` **New systems use `$2b$`**. The verifier accepts every variant.

Password is >72 chars, problem?

**Classic bcrypt truncates at 72 bytes**. So "passwordA" + 64 random chars + anything = **the same hash** as "passwordA" + 64 chars. In practice no one uses passwords >72 chars, but **if your system pre-hashes** (e.g. SHA-256 → bcrypt), you bypass this limit.

Why does verification take a few hundred ms?

Because bcrypt is **INTENTIONALLY slow**. The cost factor governs it, each round is a **Blowfish KDF**. Cost 12 = ~250 ms on a modern CPU. **A feature, not a bug**: an attacker trying billions of passwords pays the same cost = **defense-in-depth** even after a database leak.

**Argon2id** is "newer" (2015, **OWASP-recommended** for new apps). **Bcrypt** is "older" but **battle-tested** (since 1999). **2026 practice**: **argon2id** for new systems, **bcrypt** for legacy. **Both are secure**; both libraries are mature.

How do I generate a bcrypt hash?

We have a [hash generator](/en/password-hash) supporting **30+ algorithms** including **bcrypt with configurable cost**. This verifier is the **companion**: generate there, verify here.

YourDevToolsPro

Bcrypt Verify

Check whether a password matches a bcrypt hash. Match or mismatch in a second.

LiveRuns in your browser

Bcrypt hash check

Paste a password and a hash, get an instant answer. Nothing leaves your browser.

Everything runs locally. Password and hash never leave your browser.

Does this password match this bcrypt hash?

Type the original password + the bcrypt hash ("$2b$12$..."), and the tool returns match or mismatch.

Everything runs locally, the password and hash never leave your browser.

Useful for devs: testing auth integrations, debugging login issues, verifying database exports. Supports "$2a$", "$2b$", "$2y$", all modern bcrypt outputs (Node bcryptjs, Python passlib, Ruby bcrypt-ruby, Java jBcrypt, PHP password_hash).

How to use it

Type the password you want to test in the "Password" field. Eye icon for show/hide.
Paste the bcrypt hash, must start with `$2a$`, `$2b$` or `$2y$`, exactly 60 chars.
Click "Verify". The tool calls bcrypt.compare internally, hashes the password with the salt extracted from the hash and compares.
Result: green "Match" with the cost factor, or red "Mismatch". Cost factor (4-15) = number of hashing rounds (more = slower, safer).

When this is useful

Five typical situations where a bcrypt verifier saves you hours of digging through logs:

Auth debugging. A user can't log in despite "definitely" knowing the password; check if the database hash matches.
Database migrations. After importing from another system, verify hashes carried over correctly.
Code review / pen-testing. Check whether the app uses a sufficiently high cost factor (10+ absolute minimum in 2026, 12+ recommended).
Recovery. An old test password you forgot but have the hash for; try variants.
Education. See how bcrypt produces different hashes for the same password (random salt), but all match the original.

To generate a bcrypt hash, use our hash generator, has bcrypt with configurable cost factor. Generate there, verify here.

Questions and answers

No. Verification runs in the browser: bcryptjs (the same lib Node.js uses) called locally. You can verify in DevTools → Network, no upload.

Related tools

Password Hashes: MD5, SHA, bcrypt

16 hash algorithms: MD4, MD5, SHA, SHA-3, RIPEMD, MySQL, NTLM, HMAC, bcrypt - with optional salt.

.htpasswd file generator

Build a user:hash line for Apache or Nginx Basic Auth. Bcrypt, SHA, APR1, crypt.

JWT decoder

Paste a JWT, see the decoded header, payload and signature. Readable claims view (iss, sub, exp, iat), expired-token detection, no data sent.