— enter a password to hash // client-only · bcryptjs

password

cost factor

~100ms

bcrypt hash

// hash appears here


              curl -sX POST 'https://api.whittly.dev/v1/bcrypt/hash' \
  -H 'Authorization: Bearer $WHITTLY_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"password":"hunter2","cost":10}'


              const res = await fetch('https://api.whittly.dev/v1/bcrypt/hash', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer ' + apiKey,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ password: "hunter2", cost: 10 }),
});
const data = await res.json();


              const { data } = await axios.post(
  'https://api.whittly.dev/v1/bcrypt/hash',
  { password: "hunter2", cost: 10 },
  { headers: { Authorization: 'Bearer ' + apiKey } }
);

// probulk password hashingpro·configurable pepper supportproupgrade →

// about this tool

Bcrypt is an adaptive password hashing algorithm designed to remain slow as hardware improves. The cost factor (work factor) determines how many rounds of hashing are performed — doubling the cost factor doubles the computation time. This makes brute-force attacks progressively harder as hardware gets faster.

// when to use

Hash a password before storing it in a database
Verify a user's password against a stored hash
Test the right cost factor for your server's hardware
Understand bcrypt output format ($2a$, $2b$ prefixes)

// faq

What cost factor should I use?

OWASP recommends a cost factor high enough that hashing takes at least 1 second on your production hardware. Cost 12 is a reasonable default for most servers in 2024. Higher is more secure but slower.

Why does the same password produce a different hash each time?

Bcrypt generates a random 128-bit salt for each hash. The salt is stored inside the hash string itself (the 22-character segment after the cost factor). This means two identical passwords produce different hashes, defeating precomputed rainbow table attacks.

// related tools

// about this tool

// when to use

// faq