Free Bcrypt Password Hash Generator

Choose a cost factor that takes 250ms-1s on your server. Start with 10-12 and benchmark. Increase over time as hardware improves. The goal is slow enough to impede attackers but fast enough for legitimate users.

Bcrypt is deliberately slow (adjustable via cost factor), includes automatic salting, and resists GPU acceleration. SHA-256 is fast (bad for passwords) and requires manual salt management.

It identifies the bcrypt version. $2a$ was original, $2b$ fixed a bug in some implementations, $2y$ is PHP-specific. Modern implementations should use $2b$ or treat them equivalently.

Yes, bcrypt truncates passwords at 72 bytes. Characters beyond this are ignored. For very long passwords, pre-hash with SHA-256 first. In practice, 72 bytes is sufficient for human passwords.

Use your language library bcrypt verify function - it extracts the salt and cost from the stored hash automatically. Never try to compare hashes directly; even the same password produces different hashes.

Both are excellent choices. Argon2 is newer and won the Password Hashing Competition. Bcrypt is more widely supported and well-proven. Either is far better than SHA-256 or MD5 for passwords.