Learn about bcrypt and use PBKDF2 for browser-based password hashing
Bcrypt requires native code and cannot be implemented purely in JavaScript. For browser-based password hashing, use PBKDF2 (see the PBKDF2 tab).
Bcrypt is an adaptive password hashing function designed to be slow and computationally expensive, making it resistant to brute-force attacks. It uses the Blowfish cipher and includes a salt to protect against rainbow table attacks.
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWyCost factor determines the number of iterations (2^cost). Higher values are more secure but slower. Cost of 12 takes ~250ms on modern hardware.
Password-Based Key Derivation Function 2. Supported by Web Crypto API, can run in browser.
Recommendation: Good choice for browser-based password hashing. Use at least 100,000 iterations with SHA-256.
Winner of Password Hashing Competition (2015). More secure than bcrypt, resistant to GPU/ASIC attacks.
Recommendation: Best choice for server-side hashing. Requires native implementation or WebAssembly.
Memory-hard key derivation function. More resistant to hardware brute-force attacks than bcrypt.
Recommendation: Good alternative to bcrypt. Requires native implementation or WebAssembly.
Help others discover this tool!
