Bcrypt Generator
Generate and verify bcrypt hashes in your browser with configurable cost.
Generate Argon2 password hashes and verify passwords against existing hashes — entirely in your browser via a vendored WebAssembly build of the reference library. Configure the variant (Argon2id is the modern default), memory cost, iterations, and parallelism. Nothing is sent to a server. Useful for testing authentication code that uses Argon2, generating seed data for migrations, and confirming a stored hash matches a typed password.
Argon2 is a memory-hard password hashing function — it deliberately allocates and reads back a large block of memory (typically 19 to 64 MiB or more) during each hash computation. This is the property that makes it stronger than bcrypt against attackers with GPUs or custom hardware: a GPU has thousands of cores but very limited per-core memory, so running tens of thousands of Argon2 hashes in parallel doesn't fit. The attacker is forced to use external RAM, which throttles the parallel rate by orders of magnitude compared to bcrypt or SHA-based hashes.
Three parameters tune the algorithm. Memory cost (m) sets how many kibibytes of RAM each hash uses; higher means more attack resistance but slower. Time cost (t) controls the number of passes over the memory; doubling roughly doubles the time. Parallelism (p) splits the work across threads — useful for matching your production server's available cores. All three combine to determine total work per hash; tune them to hit a target latency (250-500ms is typical) on your real server.
Argon2id, the recommended variant, is a hybrid: it runs Argon2i (data-independent access, side-channel safe) for the first half of the computation, then switches to Argon2d (data-dependent, faster) for the rest. This gives most of the side-channel resistance of pure Argon2i with most of the speed of Argon2d. Unless you're hashing in an environment with known side-channel risk (shared hosting, suspect VMs) or specifically need maximum speed, Argon2id is the right choice.
m=19456 (19 MiB memory), t=2 (iterations), p=1 (parallelism). For higher-security applications: m=65536 (64 MiB), t=3, p=4. The latency target most teams aim for is 250-500ms per hash on the production server — slow enough to throttle brute-force attacks, fast enough that login latency is invisible. Use the speed test on this page to find the highest cost factor your server can sustain without affecting user experience. As hardware gets faster, raise the parameters during the next planned re-hash cycle.$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG. The fields are: algorithm variant (argon2id), version (v=19), parameters (m=memory,t=iterations,p=parallelism), the salt (base64), and the hash itself (base64). The whole string goes into a single database column — verification re-extracts the parameters and salt, so there's nothing to store separately.