Is my password sent to your server?

No. The entire verification runs in your browser using the bcryptjs JavaScript library. No data is transmitted over the network.

Which bcrypt variants are supported?

All common variants: $2a$, $2b$, and $2y$. These differ only in historical edge cases around 8-bit character handling — bcryptjs handles all of them correctly.

Why does verification take a moment for high cost factors?

Bcrypt is intentionally slow. A cost factor of 12 requires 4096 iterations; at 14 that rises to 16384. The browser runs the full computation synchronously, which may take 1–3 seconds on high cost factors.

Can I use this to crack a bcrypt hash?

No. Bcrypt is a one-way function — you must supply the exact plaintext to check. This tool only verifies a candidate you already know; it does not perform brute-force or dictionary attacks.

What is a bcrypt hash cost factor?

The cost factor (e.g. 12 in $2b$12$...) controls how computationally expensive the hash is to compute. Higher values make brute-force attacks slower. Most modern applications use 10–13.

Why does the same password produce different hashes each time?

Bcrypt embeds a random 128-bit salt in every hash, so hashing the same password twice yields different output. Verification works by extracting the salt from the stored hash and re-running the algorithm — not by comparing raw strings.

Bcrypt Hash Verifier

Name: Bcrypt Hash Verifier
Availability: InStock
Author: Nham Vu

Enter a plaintext password and a bcrypt hash to instantly verify whether they match — all client-side, nothing sent to any server.

Verify a Bcrypt Hash

Plaintext Password

Bcrypt Hash

Starts with $2a$ , $2b$ , or $2y$

Fill in both fields and click Verify Hash

Summary