What does the bcrypt tester do?

It checks whether a plain text (usually a password) matches a bcrypt hash. It's the inverse of hashing: you provide the original text and the previously generated hash, and the tool confirms whether they match.

How does verification work?

Bcrypt embeds the random salt inside the hash itself. To verify, the tool extracts the salt from the original hash, applies it to the provided text, and compares the result with the final part of the hash. If they match, it's the same password.

Is it safe to test my password here?

Yes. All verification happens locally in your browser via JavaScript. No password and no hash are sent to ToolboxHub servers.

Why are two hashes of the same text different?

Bcrypt uses a random salt on each generation, so the same text produces different hashes. This is a protection against rainbow tables. Verification doesn't compare hashes directly — it applies the salt embedded in the original hash to the new text.

Which bcrypt versions are supported?

The tool supports versions 2a, 2b, and 2y, which are the most common in modern libraries. The version is the first segment of the hash (e.g., $2b$10$...).

Why is verification a bit slow?

It's intentional. Bcrypt applies several rounds of hashing (usually 10 to 12) to make brute-force attacks unfeasible. The higher the cost (rounds) embedded in the hash, the longer verification takes — and the more secure the scheme is.

Can I test hashes generated in Laravel, Node.js, Python, or Spring?

Yes. The bcrypt algorithm is standardized, so hashes generated in Laravel (Hash::make), Node.js (bcrypt/bcryptjs), Python (passlib/bcrypt), and Spring Security (BCryptPasswordEncoder) follow the same $2a$/$2b$/$2y$ format and can be verified here without any adaptation.

Free Online Bcrypt Tester: Verify Password Against Hash

About the Bcrypt Tester

Verify whether a plain text password matches a bcrypt hash. It's the inverse of the generator: extremely useful for debugging logins, recovering access in test environments, and validating passwords without resetting the database. All verification happens locally, with nothing sent to any server. To generate bcrypt hashes, use our Hash Generator.

Use cases by framework

The bcrypt algorithm is standardized, so hashes generated by the frameworks below follow the same format and can be verified here without any conversion.

Framework / language	Generation	Verification
Laravel (PHP)	Hash::make($plain)	Hash::check($plain, $hash)
Node.js (bcrypt / bcryptjs)	bcrypt.hash(plain, rounds)	bcrypt.compare(plain, hash)
Python (passlib / bcrypt)	bcrypt.hashpw(plain, salt)	bcrypt.checkpw(plain, hash)
Spring Security (Java)	encoder.encode(plain)	encoder.matches(plain, hash)
Django (Python)	make_password(plain)	check_password(plain, hash)
Ruby (bcrypt-ruby)	BCrypt::Password.create(plain)	password == plain

How to verify in 3 steps

Paste the original password in the first field.
Paste the bcrypt hash (60 characters, starting with $2a$ , $2b$ , or $2y$ ).
Click Verify to see if they match.

Structure of a bcrypt hash

A bcrypt hash has 60 characters split into four parts separated by $.

Part	Example	Meaning
Version	$2b$	Identifies the variant (2a, 2b, or 2y)
Cost	10$	Number of rounds (computational cost)
Salt	22 characters	Random sequence embedded in the hash
Hash	31 characters	Result of bcrypt applied to the text + salt

Bcrypt Tester