Bcrypt Hash (Educational Demo) Privacy: All processing runs locally

Explore password hashing concepts using PBKDF2 via the Web Crypto API. This demo illustrates how bcrypt-style key stretching works.

Educational Note: True bcrypt uses the Blowfish cipher internally, which is not available in the Web Crypto API. This demo uses PBKDF2-SHA256 to demonstrate the same concepts: salting, key stretching, and configurable iteration count. For production password hashing, use a server-side bcrypt, scrypt, or Argon2 library.

Iterations (cost factor) Salt (auto-generated)

Password 0

PBKDF2 Derived Hash 0

How It Works

Bcrypt is a password hashing function designed by Niels Provos and David Mazieres in 1999, based on the Blowfish cipher. It incorporates a salt to protect against rainbow table attacks and an adaptive cost factor that makes it intentionally slow, increasing resistance to brute-force attacks.

PBKDF2 (Password-Based Key Derivation Function 2) is a similar concept: it applies a pseudorandom function (here HMAC-SHA256) to the password along with a salt, repeating the process many times (iterations) to derive a key. More iterations means more time to compute, making brute-force attacks impractical.

This demo uses the Web Crypto API's crypto.subtle.deriveKey() with PBKDF2 to illustrate these concepts. A random 16-byte salt is generated using crypto.getRandomValues(). The resulting derived key is displayed as a hexadecimal string.

Key concepts demonstrated: Salting (unique random value per hash), Key Stretching (many iterations to slow down attacks), and One-way function (cannot reverse the hash to get the password).

Bcrypt Hash (Educational Demo) Privacy: All processing runs locally

How It Works

Related Tools