Question 1

What is bcrypt?

Accepted Answer

Bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999, based on the Blowfish cipher's expensive key setup phase. Unlike fast message digests (MD5, SHA-256) that can compute billions of hashes per second on a GPU, bcrypt is deliberately slow — its work factor (cost) determines how many rounds of key derivation run before producing the final hash. The 'expensive' key setup means each guess takes a fixed amount of CPU time that you, the defender, choose. Bcrypt is salted automatically — the 16-byte salt is embedded in the output, so identical passwords produce different hashes. Bcrypt has been the de-facto standard password hashing function for ~25 years and remains a solid choice in 2026, though OWASP now slightly prefers Argon2id.

Question 2

What's the difference between $2a$, $2b$, and $2y$?

Accepted Answer

All three are bcrypt with identical algorithmic behavior — the difference is metadata about which implementation produced the hash. $2$ was the original. $2a$ was added when a sign-extension bug was found in the original implementation; hashes generated by buggy implementations were marked $2a$ to flag them. $2x$ was Crypt_Blowfish 1.0.4's marker for the broken sign-extension behavior, kept for legacy compatibility. $2b$ is the standard modern prefix used by most libraries. $2y$ was added by PHP in 2012 specifically to mark hashes generated after a security fix; Apache's htpasswd only accepts $2y$. In practice, any modern bcrypt library treats $2a$, $2b$, and $2y$ as identical when verifying. Pick $2y$ for htpasswd, $2b$ for everything else.

Question 3

What cost rounds should I use?

Accepted Answer

OWASP's 2024 Password Storage Cheat Sheet recommends bcrypt cost ≥ 10 for new systems. Each step doubles compute time — cost 10 means 2^10 = 1,024 internal Blowfish key setup iterations, taking ~100ms on a modern server. Cost 12 is becoming the new default in most languages' standard libraries (~400ms/hash). Cost 14 adds another 16× margin and pushes login times noticeably over 1 second. The right value depends on your hardware: pick the highest cost that keeps login under ~250ms on the slowest expected machine. Server cost matters because users won't tolerate 2-second login delays, but attacker cost scales the same way — every step you can afford makes brute-force 2× harder.

Question 4

Does bcrypt have a 72-byte input limit?

Accepted Answer

Yes — this is the most-cited gotcha with bcrypt. The Blowfish key setup operates on a 56-byte key, but bcrypt internally pads/cycles the password to 72 bytes before key expansion. Inputs longer than 72 bytes are silently truncated. This affects you if your passwords might exceed 72 ASCII characters (rare but possible for passphrases) or if your users type in non-ASCII (each character may be 2-4 bytes in UTF-8). The standard mitigation is to pre-hash the password with SHA-256 before passing it to bcrypt, producing a 64-byte digest that fits comfortably under the 72-byte limit. Django's BCryptSHA256PasswordHasher does exactly this. For most ASCII passwords under 50 characters, the 72-byte limit is irrelevant.

Question 5

How do I verify a bcrypt hash without knowing the cost?

Accepted Answer

The cost and salt are embedded in the hash itself. A bcrypt hash has the structure `$2y$10$22-char-salt53-char-checksum` — the `10` is the cost, and the salt+checksum follow. When verifying, the library parses the cost and salt from the stored hash, then re-runs the key setup at that cost with that salt against the user's typed password, and compares the resulting checksums in constant time. You never need to pass the cost explicitly. The Verify tab above this section does this automatically — paste any bcrypt hash and the supplied password, and you get a yes/no result.

Question 6

Is bcrypt still recommended in 2026, or should I use Argon2?

Accepted Answer

Both are acceptable per OWASP's 2024 guidance. Argon2id (winner of the 2015 Password Hashing Competition) is now the first recommendation because it's memory-hard — it requires significant RAM per guess, which makes GPU and ASIC attacks much more expensive. Bcrypt is CPU-hard but only uses ~4KB of memory per hash, so GPUs and ASICs can run many bcrypts in parallel. That said, bcrypt is battle-tested over 25+ years, has implementations in every language, and at cost ≥ 10 is still strong enough to defeat realistic brute-force attempts against passwords with ≥ 50 bits of entropy. New systems should default to Argon2id; existing bcrypt deployments don't need to migrate urgently unless you're seeing actual attacks. Both beat PBKDF2 and SHA-* for password storage.

Cost	Iterations	~Time (modern CPU)	Use case
4	16	<1ms	Testing only — insecure
10	1,024	~100ms	OWASP minimum (2024)
12	4,096	~400ms	Modern default
14	16,384	~1.5s	High-value accounts
15	32,768	~3s	Acceptable upper bound

Bcrypt Generator & Verifier

What Is Bcrypt?

Hash Format Explained

Cost Tuning

Frequently Asked Questions