Skip to content

bcrypt Forge

Password Hashing · Adaptive Cost · Salted

Generate real bcrypt hashes in your browser, dissect their version/cost/salt/hash anatomy, benchmark how each cost step doubles the work, and watch salting and timing-safe verification hold up against breach and rainbow-table attacks.

What bcrypt Actually Is

A Blowfish-based password hashing scheme designed by Niels Provos & David Mazières (1999). Deliberately slow and adaptive — bcrypt's cost factor lets security scale with hardware improvements.

Where bcrypt Is Used

  • Linux PAM (/etc/shadow)
  • PHP password_hash()
  • Node.js bcrypt / bcryptjs
  • Django (optional backend)
  • Ruby on Rails (default via has_secure_password)

Three-Part Output Anatomy

Why bcrypt Is Slow: The Eksblowfish Key Schedule

The cost factor is not an arbitrary dial — it is literally an exponent. bcrypt runs Blowfish's key setup, then repeats it 2cost times, each round re-mixing your password and salt into an 18-word subkey array (the ) and four 256-entry substitution boxes (the , 4 KB of state). That 4 KB of constantly-rewritten state is what makes bcrypt awkward to run massively-parallel on a GPU.

6

cost 6 → 26 = 64 key-expansion rounds

Press “Animate the key schedule” to watch the salt and password get folded into the Blowfish state 2cost times.

The 72-Byte Limit — bcrypt's #1 Footgun

bcrypt only feeds the first 72 bytes of a password into the key schedule. Everything after byte 72 is silently ignored. Two different passwords that share the same 72-byte prefix therefore produce a hash that verifies against either one. Type two long passwords below that agree for the first 72 bytes but differ afterward, and watch them cross-verify.

Why This Matters
bcrypt is the most widely deployed password hashing scheme in production systems. Understanding its structure — that “cost” means literal rounds of Blowfish key setup, and that only the first 72 bytes count — helps developers store, verify, and migrate passwords safely, and choose a cost that is slow for attackers yet fast enough for login.