Password Hash Generator and Verifier
(Argon2id, bcrypt, scrypt, PBKDF2)

Client-side tool to generate/verify password hashes with realistic parameters. Helpful for debugging integrations and understanding how salts, memory, and iterations affect cost. Runs locally—no passwords leave your browser.

Your data security is our top priority. All hashing and verification happen in this browser. This tool does not store or send your password nor hashes outside of the browser. See source code in: https://github.com/authgear/authgear-widget-password-hash

Supported Password Hashing Functions

Argon2id Generator & Parameters
Argon2id is a modern, memory-hard function that raises the attacker’s cost on GPUs/ASICs. Tune memory, iterations (t), and parallelism (p) until your authentication path lands around 250–500ms on production hardware. Use a unique random salt per password (16–32 bytes).
bcrypt Generator (cost/rounds)
bcrypt is battle-tested and widely available. Increase cost to slow brute-force attempts, while keeping login UX responsive. We output the $2b$ format for broad compatibility.
scrypt Generator (N, r, p)
scrypt adds memory-hardness. Increase N (e.g., 215–219) to raise attacker cost; adjust r and p to balance memory and parallelism.
PBKDF2 Generator (SHA-256 / SHA-512)
PBKDF2 remains a compatibility workhorse. Use high iteration counts (hundreds of thousands or more) and revisit yearly as hardware improves.
Salts (and Optional Pepper)
The tool generates cryptographically secure salts and lets you set length and encoding (Hex/Base64). Some deployments also add a pepper (site-wide server secret) that’s not stored in the hash. Use peppers carefully and manage them like other secrets.
Read more:
Password hashing & salting explained  •  How to pick the right hashing function

How to use the Password Hash Generator

Step 1.
Enter a password
  • Open the Generate tab and type a demo password (avoid real credentials).
Step 2.
Select an algorithm
  • For new systems, Argon2id is generally recommended.
Step 3.
Set parameters:
  • Argon2id: Memory (MiB), Iterations (t), Parallelism (p).
  • bcrypt: Cost (2cost rounds).
  • scrypt: N (power of two), r, p.
  • PBKDF2: Iterations and digest (SHA-256/512).
Step 4.
Generate Password Hash
  • Click Generate Password Hash. Copy the encoded string.
Step 5.
Verify Password Hash
  • Switch to Verify Password Hash to test a password + encoded hash pair.

Ready to Supercharge Your Authentication?

Experience seamless, secure, and scalable identity management with Authgear.

Get Started for Free

Is it safe to use this with real passwords?

All hashing happens locally in your browser. For your own safety, avoid using production secrets in any online tool.

Which hashing function should I use?

For new systems, Argon2id is generally recommended. bcrypt and scrypt are widely deployed; PBKDF2 is a compatibility fallback. Always benchmark and choose parameters that meet your latency targets.

How long should hashing take?

Many teams target ~250–500ms in the authentication path. Pick the slowest settings that still keep UX smooth on your production hardware.

Why won’t my framework verify the hash?

Common issues: whitespace/line endings, encoding mismatch (hex vs Base64), bcrypt prefix differences ($2a$ vs $2b$), or forgetting a pepper.

What salt length should I use?

16–32 bytes of random data is standard. The tool defaults to secure randomness and shows length and encoding.
Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.