Generate bcrypt hashes - the time-tested adaptive password hashing based on Blowfish cipher.
About
bcrypt is a password hashing function based on the Blowfish cipher, using a salt and adaptive cost factor to resist brute-force attacks. It has been widely used for password hashing since 1999.
Specifications
Output SizeN/A
StandardUSENIX bcrypt paper
Standard Year1999
Use Cases
—Unix/Linux system password storage
—Web application password hashing
—PHP password_hash() default
—Legacy system password upgrades
—Systems requiring proven track record
Security Notice
bcrypt is limited to 72-byte passwords and truncates null bytes. For new systems, Argon2id is recommended.
Frequently Asked Questions
A cost factor of 10-12 is common (2^10 to 2^12 iterations). Higher is more secure but slower. Measure the time on your target hardware and choose the highest value that keeps login time under 250-500ms. Cost factor can be increased over time as hardware improves.
bcrypt truncates passwords at 72 bytes and ignores characters after null bytes (0x00). It also produces a fixed 184-bit output. For passwords longer than 72 bytes, pre-hash with SHA-256 first. For new projects, consider Argon2id which doesn't have these limitations.
For new applications, use Argon2id. For existing bcrypt hashes, you can gradually migrate: when a user logs in, verify with bcrypt, then re-hash with Argon2id and store the new hash. This avoids forcing all users to reset passwords while improving security over time.