Skip to main content
CheckTown
Dev Tools

bcrypt: How Password Hashing Works and Why It Matters

Published 7 min read
In this article

What Is bcrypt?

bcrypt is an adaptive password hashing function designed in 1999 by Niels Provos and David Mazieres. Based on the Blowfish cipher, bcrypt incorporates a salt to protect against rainbow table attacks and a configurable cost factor (work factor) that controls how computationally expensive the hash is to calculate. This makes bcrypt intentionally slow — and that slowness is its primary security feature.

Unlike fast hash functions like MD5 or SHA-256 (designed for data integrity), bcrypt is designed specifically for password storage. Its adaptive nature means the cost factor can be increased over time as hardware gets faster, keeping brute-force attacks impractical even with modern computing power.

How bcrypt Works

A bcrypt hash contains all the information needed to verify a password in a single string. The format is $2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy, where each part has a specific meaning.

  • $2b$ — the algorithm identifier indicating bcrypt version 2b (the current recommended version)
  • 10$ — the cost factor (2^10 = 1024 rounds of the key derivation function)
  • N9qo8uLOickgx2ZMRZoMye — the 22-character Base64-encoded salt (128 bits of randomness)
  • IjZAgcfl7p92ldGxad68LJZdL17lhWy — the 31-character Base64-encoded hash output

Try it free — no signup required

Generate bcrypt Hash →

Choosing the Right Cost Factor

The cost factor (also called rounds or work factor) determines how many iterations bcrypt performs internally. Each increment doubles the computation time. A cost factor of 10 means 2^10 = 1024 iterations; a cost factor of 12 means 2^12 = 4096 iterations — four times slower than 10.

The goal is to make hashing slow enough to deter brute-force attacks while fast enough to not degrade user experience during login. Most security experts recommend a cost factor between 10 and 12 for production applications.

  • Cost 10 — hashes in approximately 100ms; good baseline for most web applications
  • Cost 12 — hashes in approximately 300-400ms; recommended for high-security applications like banking or healthcare
  • Cost 14+ — hashes in 1 second or more; generally too slow for interactive login but may be appropriate for administrative accounts or key derivation

bcrypt vs Other Hashing Algorithms

Not all hashing algorithms are suitable for password storage. Fast hash functions like MD5 and SHA-256 can compute billions of hashes per second on modern GPUs, making them vulnerable to brute-force attacks. Password-specific functions like bcrypt, scrypt, and Argon2 are intentionally slow.

  • MD5/SHA-256 — designed for speed, not password security; can be brute-forced at billions of hashes per second on a GPU; never use for passwords
  • bcrypt — CPU-hard, battle-tested since 1999, widely supported in every major programming language; the default recommendation for password hashing
  • Argon2 — won the Password Hashing Competition in 2015; memory-hard (resists GPU attacks better than bcrypt); recommended for new projects if library support is available

Common Use Cases

bcrypt is used wherever passwords need to be stored securely. The hash-then-verify workflow is the standard pattern.

  • User registration — hash the password with bcrypt before storing it in the database; never store plaintext passwords
  • Login verification — hash the submitted password with the same salt and cost factor, then compare it to the stored hash using a constant-time comparison function
  • Password migration — when upgrading from MD5/SHA to bcrypt, rehash passwords on next successful login; flag accounts that still use the old hash format

Frequently Asked Questions

Can I change the cost factor without resetting passwords?

Yes. On each successful login, check if the stored hash uses an old cost factor. If so, rehash the password (which you have in plaintext during login) with the new cost factor and update the database. This is called opportunistic rehashing and allows gradual migration without forcing password resets.

How do I verify a password against a bcrypt hash?

The bcrypt hash string contains the algorithm version, cost factor, and salt. The verification function extracts these, hashes the candidate password with the same parameters, and compares the results using constant-time comparison to prevent timing attacks. In Node.js, use bcrypt.compare(); in Python, use bcrypt.checkpw().

Should I use bcrypt or Argon2?

Both are excellent choices. bcrypt is battle-tested over 25 years with universal library support. Argon2 is newer, memory-hard (better against GPU attacks), and won the Password Hashing Competition. For new projects, Argon2id is the recommended choice if your platform supports it well. For existing projects, bcrypt remains perfectly secure when configured with cost factor 10 or higher.

Related Tools

Hash Generator: MD5, SHA-256 and More — When to Use EachHashing is fundamental to security and data integrity. Learn which algorithm to choose and when.Read article → Password Strength Checker: Build Secure User AuthenticationWeak passwords are a leading cause of breaches. Learn how to measure password strength and enforce policies.Read article → TOTP Generator: Generate 2FA Codes from SecretsGenerate time-based one-time passwords (TOTP) from Base32 secrets. Parse otpauth:// URIs and manage 2FA codes securely.Read article →
Back to Blog