Hash Generator

Generate MD5 and SHA family hashes in one click. Generate and verify bcrypt password hashes with adjustable cost factor. Compare any two hashes for equality.

hash-generator.tool
bcrypt.tool
Bcrypt is a slow password-hashing function designed to resist brute-force attacks. The output is never the same twice — even for identical input.
4 (fastest)14 (slowest)
hash-compare.tool
Paste two hashes to check if they are identical. Comparison is case-insensitive.

Cryptographic Hashes vs Bcrypt — Know the Difference

MD5, SHA-1, SHA-256, SHA-384, and SHA-512 are general-purpose hash functions designed to be fast. Speed is a problem for passwords — an attacker with a GPU can test billions of MD5 or SHA-256 guesses per second. Never use these to store passwords.

Bcrypt is designed specifically for passwords and is intentionally slow. The cost factor (rounds) controls how slow — each increment doubles the work. At 12 rounds, hashing takes roughly 250ms, which is imperceptible to a real user but makes brute-force attacks take thousands of years. PostgreSQL, Django, Laravel, Node.js bcrypt libraries, and most modern authentication systems use bcrypt or its successors (Argon2, scrypt).

The Five Hash Algorithms

  • MD5 — 128-bit. Fast, widely used for checksums and file integrity. Cryptographically broken — do not use for security purposes.
  • SHA-1 — 160-bit. Also broken for collision resistance since 2017. Still used in Git for content addressing. Not for passwords or signatures.
  • SHA-256 — 256-bit. Current standard. Used in TLS certificates, Bitcoin, JWT signatures, and file checksums. Safe for general use.
  • SHA-384 — 384-bit. Truncated version of SHA-512 computed on 64-bit words. Slightly faster than SHA-512 on 64-bit systems.
  • SHA-512 — 512-bit. Highest security in the SHA-2 family. Used where maximum hash length is needed.

Bcrypt Rounds Guide

Rounds 10–12 cover most production use cases. 10 rounds is about 100ms per hash; 12 rounds is about 250ms; 14 rounds exceeds 1 second. Always benchmark on your actual server hardware and choose the highest value that keeps login response under 500ms for your user load.

Frequently Asked Questions

No. MD5 and SHA-256 are fast by design — a modern GPU can compute billions of SHA-256 hashes per second. This makes them completely unsuitable for password storage. An attacker who obtains your database can crack most passwords in minutes using precomputed rainbow tables or brute force. Use bcrypt, scrypt, or Argon2 for passwords. Use SHA-256 or SHA-512 for everything else: checksums, data integrity verification, HMAC signatures, and non-secret IDs.
The OWASP recommendation is a minimum of 10, with 12 as the practical standard for most applications. Each increment doubles the computation time — 12 is roughly 4x slower than 10. Test on your production server hardware and choose the highest value that keeps hash generation under 500ms. As hardware gets faster over time, increase your default rounds in new hashes while keeping legacy hashes readable with their original round count (bcrypt stores the rounds in the hash string itself).
Bcrypt generates a random 128-bit salt for every hash, which is embedded in the output alongside the cost factor. The full output — $2a$12$[22 chars salt][31 chars hash] — contains everything needed to verify the password later. Two hashes of "password123" at 12 rounds look completely different but both correctly verify against the original text. This salt prevents rainbow table attacks.
No — hashing is a one-way function by design. There is no mathematical way to reverse SHA-256 or bcrypt. What attackers do instead is guess-and-check: they hash millions of candidate passwords and see if any match. MD5 and SHA hashes of short, common passwords are trivially cracked this way. Bcrypt's slowness makes this impractical even for simple passwords, provided the rounds are high enough.
SHA-384 is part of the SHA-2 family and is used in TLS cipher suites (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is a common one), HMAC-SHA-384 message authentication, and applications that need more than 256 bits of security but are running on 64-bit systems where SHA-512 and SHA-384 are actually faster than SHA-256 due to their wider internal word size.
Use the Verify tab in the bcrypt section above. Paste the full hash (starting with $2a$ or $2b$) into the hash field, enter the original text, and click Verify. The tool uses bcryptjs to recompute the hash using the salt embedded in the stored hash and compares the result. This is exactly what your application's authentication code does on login.

Related Tools

#
UUID Generator
Generate unique IDs
64
Base64 Encoder
Encode & decode Base64
🔑
Password Generator
Generate strong passwords
🔐
JWT Decoder
Decode JWT tokens