Bcrypt & Argon2 Hash Generator + Verify Tool Hash and verify passwords locally.
100% offline
Password28 bytes
Rounds
Hash
Press Hash to generate a hash.
Hashed locally — passwords are never uploaded.

About Bcrypt & Argon2 Hash Generator + Verify Tool

Hash passwords with bcrypt or Argon2 and verify a password against an existing hash — right in your browser. Both algorithms are deliberately slow and salted, the way password storage is supposed to work: the same password produces a different hash every time, and you check a guess by verifying it rather than re-hashing and comparing strings.

This password hash tool is built for seeding test users, debugging an auth flow, and sanity-checking a migration between hashing schemes. You pick the cost: bcrypt rounds, or Argon2 memory, iterations, and parallelism.

Everything runs locally with no network calls — your passwords and hashes never leave the device. bcrypt runs as pure JavaScript and Argon2 runs as inlined WebAssembly, both loaded only when you use them.

Features

  • bcrypt and Argon2 (argon2id / argon2i / argon2d) in one place
  • Hash a password or verify one against an existing hash
  • Tune the work factor: bcrypt rounds, Argon2 memory / iterations / parallelism
  • Copy the resulting hash with one click
  • Fully offline — nothing is ever uploaded

How to use

  1. Choose an algorithm — bcrypt or Argon2.
  2. Pick a mode: Hash to generate a hash, or Verify to test a password against one.
  3. Enter the password (and, in Verify mode, the existing hash), adjusting the cost parameters as needed.
  4. Copy the generated hash, or read the match / no-match result.

Frequently asked questions

bcrypt vs Argon2 — which should I use?

Argon2id is the current recommendation for new systems: it resists GPU and side-channel attacks via tunable memory cost. bcrypt is older but still solid and ubiquitous, and a fine choice when your stack or framework already standardizes on it.

Why does the same password give a different hash each time?

Both algorithms generate a random salt and embed it in the output. That is by design — it stops attackers from using precomputed rainbow tables. To check a password you verify it against the stored hash; you never re-hash and compare strings.

Does bcrypt have a password length limit?

Yes. bcrypt only considers the first 72 bytes of the input and silently ignores the rest, so very long passwords can collide. Argon2 has no such limit. The tool warns you when a password exceeds 72 bytes in bcrypt mode.

Is it safe to hash real passwords here?

The hashing happens entirely in your browser and nothing is sent anywhere, so it is safe for testing and debugging. Still, treat any tool like a workbench: for production secrets, hash on your own trusted server with your own parameters.

Which cost parameters should I pick?

A bcrypt cost of 10–12 is a common baseline. For Argon2id, OWASP suggests starting around 19 MiB of memory, 2 iterations, and 1 lane, then tuning upward to whatever your hardware can afford within an acceptable login time.

Related tools

Hash Generator — SHA-256, SHA-1 & SHA-512 Online SHA-1, SHA-256 and SHA-512 digests HMAC Generator Online — SHA-256, SHA-512 & SHA-1 Generate keyed-hash MACs locally. Password Strength Checker – Entropy & Crack Time Estimate password strength and entropy locally. Strong Password & Passphrase Generator – Diceware Generate strong passwords or memorable passphrases.

Everything runs locally in your browser — your input is never uploaded.