Hashes passwords so you can verify them later without storing the original password.
Bcrypt Hash
Verify identity without storing cleartext. Local-first implementation.
Generate Hash
Verify Hash
Protecting password databases and authentication systems.
Reversible encryption, file secrecy, or token generation.
Understand it
Learn the mental model before you trust the output.
Short, practical context that explains what the tool is for, how it works, and where people get it wrong.
In plain English
Bcrypt is a password-specific hashing algorithm. It turns a password into a one-way result that can be checked later, but not turned back into the original password.
How it works
Bcrypt mixes the password with a random salt and repeats expensive work many times. That makes each guess slower for an attacker, which is exactly what you want for password protection.
Password in, slow hash out
Bcrypt adds salt and cost so password checking stays practical while mass guessing stays expensive.
Where you'd use it
- Storing user passwords in a web application database.
- Testing password verification logic during development.
- Migrating away from unsafe fast hashes for login systems.
Common mistake
People sometimes ask bcrypt to protect data they want to decrypt later. That is the wrong tool. Bcrypt is for checking passwords, not for getting the original secret back.
History / fun fact
Bcrypt was designed to stay expensive on purpose. In password security, slow is a feature because it makes brute-force guessing much harder.
Security note
The work factor must be tuned high enough to hurt attackers but still be acceptable for your own login performance.
Deeper look
Why salts matter
A salt makes the same password produce different hashes for different users. That breaks simple precomputed lookup attacks like rainbow tables.
Why cost factor matters
The cost factor controls how much work bcrypt performs. Raising it increases defense against guessing, but also increases legitimate verification time.