PHP Password Hash Generator

Generate BCRYPT, ARGON2I, and ARGON2ID hashes compatible with PHP's password_hash().

Tools
PHP Password Hash Generator
Add to Favorites Remove from Favorites Share on Facebook Share on X
Generate Hash

About PHP password_hash() Compatible Generator

This tool generates password hashes that are compatible with PHP's password_hash() function using client-side JavaScript. You can choose between BCRYPT (PHP's default), ARGON2I, and ARGON2ID algorithms, and configure their respective cost factors.

Important Security Note: While this tool demonstrates how these hashes are created, for actual user authentication in web applications, password hashing must always be performed on the server-side. Never send plaintext passwords to the server to be hashed after client-side generation for storage. This tool is primarily for educational, testing, or development purposes (e.g., generating a hash for a test database).

How It Works

  • Enter the password you want to hash.
  • Select the desired hashing algorithm: BCRYPT, ARGON2I, or ARGON2ID.
  • Adjust the algorithm-specific cost factors:
    • BCRYPT Cost: A higher number (4-31, default 10) means more processing rounds, making the hash stronger but slower to compute.
    • ARGON2 Memory Cost: Amount of memory in KiB (default 4096).
    • ARGON2 Time Cost: Number of iterations (default 3).
    • ARGON2 Threads: Parallelism factor (default 1).
  • Click "Generate Hash". The generated hash string, compatible with PHP's password_verify(), will appear.

Frequently Asked Questions

Why are BCRYPT and Argon2 used for password hashing?

BCRYPT and Argon2 are designed specifically for password hashing. Unlike fast cryptographic hashes (like SHA3), they are intentionally slow and resource-intensive (memory and/or CPU). This makes them much more resistant to brute-force and rainbow table attacks, even if an attacker gets access to the hashed passwords.

What are "cost factors"?

Cost factors control how much computational work is done to generate the hash. For BCRYPT, a higher cost means more rounds of hashing. For Argon2, you can control memory usage, time (iterations), and parallelism. Increasing cost factors makes the hash stronger against attacks but also increases the time it takes to generate the hash (and verify it).

Can I use these client-side generated hashes directly in my production login system?

No. While the hashes generated can be compatible with PHP's password_verify(), the actual hashing of a user's password during registration or login must occur on your server. This tool is for testing, understanding the hash formats, or pre-generating hashes for controlled environments, not for direct use in production authentication flows where the client sends a pre-hashed password.

Is my password sent to your server?

No. All hashing operations are performed directly in your web browser using JavaScript libraries. Your password is never transmitted to our servers.

Tools