Why is the bcrypt hash different every time?

Bcrypt generates a new random salt per hash, so the same password yields a different output each run. Verification still works because the salt is stored inside the hash string itself.

Why use bcrypt instead of SHA-256 for passwords?

SHA-256 is fast, which helps attackers brute-force it. Bcrypt is intentionally slow and salted, with a tunable cost factor, making large-scale guessing impractical.

Answer

How to hash a password with bcrypt

Generate and verify bcrypt password hashes in your browser. Adjustable cost factor, nothing uploaded.

Bcrypt is a deliberately slow, salted password hash. Each hash embeds a random salt and a cost factor, so the same password produces a different 60-character hash every time — which is exactly what you want for stored passwords. Paste a password and pick a cost (work factor) to generate one.

Input

correct horse battery staple   (cost 12)

Output

$2b$12$… (60 characters; a new salt → a different hash on every run)

The "$2b$12$" prefix encodes the algorithm and cost; the salt and digest follow.

Open the Bcrypt Generator → Free · runs in your browser · nothing uploaded

Steps

Open the Bcrypt tool and enter the password to hash.
Set the cost factor (10–12 is typical; higher is slower and stronger).
Generate the hash and store the whole 60-character string — it includes the salt.
To check a login, use Verify mode with the password and the stored hash.

Frequently asked questions

Why is the bcrypt hash different every time?: Bcrypt generates a new random salt per hash, so the same password yields a different output each run. Verification still works because the salt is stored inside the hash string itself.
Why use bcrypt instead of SHA-256 for passwords?: SHA-256 is fast, which helps attackers brute-force it. Bcrypt is intentionally slow and salted, with a tunable cost factor, making large-scale guessing impractical.

← All answers