Skip to content
Marvin's Toolbox.

Search tools

Type to filter all tools

Bcrypt & Argon2 Generator

Hash a password with bcrypt or Argon2 and verify a password against an existing hash. Tune the cost factor, memory, iterations and parallelism, see how long the hash takes, and read the parsed parts of any hash you paste.

Everything runs locally in your browser. Your data never leaves your device.

Password

The password stays in this field and is not saved anywhere.

Parameters

4,096 rounds

4 to 31

Each step doubles the work: cost 12 runs 4,096 rounds. OWASP recommends at least 10, and 12 is a common default.

Hash

Type a password above, then press Generate hash.

Which algorithm to pick

Argon2id is the first choice for new systems and what OWASP recommends. It combines Argon2i's defense against side channel attacks with Argon2d's resistance to GPU cracking. bcrypt remains acceptable for existing systems at cost 10 or higher, but it only reads the first 72 bytes of a password. Argon2i and Argon2d are the specialized single purpose variants, useful only when a spec demands one.

Next steps

Send this tool's output straight into another tool.

Convert text into every case at once: title case in the APA, AP, Chicago, MLA, Bluebook, AMA and NYT styles, sentence case, upper, lower, camelCase, snake_case, kebab-case and more.

Count words, characters, sentences, paragraphs, lines and more as you type, with estimated reading and speaking time.

Remove duplicate lines from a list or text, keeping the first occurrence. Optionally ignore case and whitespace, or drop blank lines too.

Replace text in two modes: plain find and replace all, or regular expressions with flag controls and capture group references like $1.

Compare two texts and see every added, removed and changed line highlighted, side by side or inline, with the changed words marked within each line. Ignore case, whitespace or blank lines, read a summary of how much changed, and export the result as a unified diff.

Paste a UUID to see what it carries: version, variant, and for time-based versions the exact timestamp, clock sequence and node. Also shows the raw bytes, the 128-bit integer and the URN form.

Decode Base64 to text or encode text to Base64. Paste into the top box, read the result below, and flip the direction with one click. Handles Unicode correctly, reads URL-safe Base64, and shows binary payloads as a hex dump you can download.

Convert numbers between binary, octal, decimal, hexadecimal and any base up to 36. Type into any field and the others update as you go. Handles huge integers without losing precision and accepts 0x, 0b and 0o prefixes.

Convert between scientific notation and full numbers as you type. Reads 1.23e5, 1.23 × 10^5 and plain numbers, shows the value written out, in normalized scientific notation and in engineering notation, and can round to any number of significant digits.

About the Bcrypt & Argon2 Generator Tool

This tool hashes a password with bcrypt or Argon2 and checks a password against a hash you already have. Pick the algorithm, tune its work factor, and press generate. The result is the standard encoded string, $2b$12$... for bcrypt or $argon2id$v=19$m=19456,t=2,p=1$... for Argon2, ready to paste into a database seed, a config file or a test fixture.

Every run draws a fresh random salt, so the same password gives a different hash each time. The tool reports how long the hash took, which is the honest way to judge a work factor: slow enough to hurt an attacker, fast enough for your login flow. A hash inspector breaks any pasted hash into its parts, and the verify mode tells you whether a password matches it.

What you can do

  • Generate a bcrypt hash with a chosen cost factor.
  • Generate an Argon2id, Argon2i or Argon2d hash with tunable memory, iterations, parallelism and digest length.
  • Verify a password against an existing bcrypt or Argon2 hash.
  • Apply the OWASP recommended Argon2 configurations with one click.
  • See how long a hash takes as a feel for the work factor.
  • Decode an encoded hash into its algorithm, parameters, salt and digest.
  • Check which algorithm and cost a stored hash uses.

How to use the Bcrypt & Argon2 Generator

  1. 1Type or paste the password. Use the eye button to reveal it while typing.
  2. 2In generate mode, pick bcrypt or an Argon2 variant and adjust the parameters. The defaults follow the OWASP recommendations, and warnings appear when a choice falls below them.
  3. 3Press Generate hash and copy the encoded result. Press New salt to rehash the same password with a fresh salt.
  4. 4To check a password, switch to verify mode, paste the stored hash, and press Verify password. The algorithm is detected from the hash itself.

What the encoded string contains

Password hashes carry everything needed to verify them later. A bcrypt hash like $2b$12$... packs the format variant, the cost factor, 22 characters of salt and 31 characters of digest into one string. An Argon2 hash spells its parameters out: m is the memory in KiB, t the iterations and p the parallelism, followed by the salt and digest in base64. The hash inspector labels each of these parts for any hash you paste or generate, which helps when auditing what an existing system actually stored.

Choosing the work factor

For bcrypt, each cost step doubles the work, so cost 12 runs 4,096 rounds and cost 13 twice that. OWASP recommends a cost of at least 10. For Argon2id, OWASP recommends 19 MiB of memory with 2 iterations and 1 lane as a minimum, and lists equivalent trades of more iterations for less memory, all available here as presets. The reported hashing time makes the trade concrete. Something around 100 ms per hash is a common target for login flows.

bcrypt has one quirk worth knowing: it only reads the first 72 bytes of a password. The tool warns when a password crosses that line. Argon2 has no such limit.

Generating test data

A common use is seeding a development database or writing tests for a login flow. Create a throwaway password with the Password Generator and send it here, hash it, and paste the encoded string into your fixture. For general purpose digests like SHA-256, which are not suitable for storing passwords, use the Hash Generator instead.

Credits

Open source does the heavy lifting in this tool. Thank you to:

  • hash-wasm

    Hand-tuned WebAssembly implementations of MD5, SHA, BLAKE, bcrypt, Argon2 and many more.

Everything this site builds on is listed on the credits page.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.

Strip the sensitive bits out of a log or any text before sharing it: emails, IP and MAC addresses, file paths, UUIDs, timestamps, URLs, tokens and more. Pick what to redact and how it is replaced, with stars, a fixed character, a type label or a length-preserving mask.

Paste a PEM certificate to see its subject, issuer, validity dates, subject alternative names, key details, fingerprints and extensions in plain view.

Enter a resolution to get its simplified aspect ratio, or start from a ratio and one side to get the missing dimension. Knows the common ratios like 16:9, 4:3 and 21:9 and shows how close your size is to each.