A simple command-line tool for generating and verifying bcrypt password hashes.
- Generate bcrypt hashes from passwords with configurable work factor
- Verify passwords against existing bcrypt hashes
- Secure password input (no echo to terminal)
- Fast and lightweight
- Go 1.25.0 or later
go install github.com/cemcatik/bch@latestOr clone and build locally:
git clone https://github.com/cemcatik/bch.git
cd bch
go build -o bch bch.goGenerate a bcrypt hash with the default work factor (12):
bch hashYou'll be prompted to enter a password, which will be hashed and printed to stdout.
Use the -f or --factor flag to specify a different work factor:
bch hash --factor 14Work factor guidelines:
- Default: 12 (recommended for most applications)
- Higher values = more secure but slower
- Each increment doubles the computational cost
- Range: 4-31 (bcrypt limitation)
Verify a password against an existing bcrypt hash:
bch verify '$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW'You'll be prompted to enter a password. The tool will print true if the password matches, or false if it doesn't.
$ bch hash
Enter password:
$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW$ bch hash -f 14
Enter password:
$2a$14$xyz...$ bch verify '$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW'
Enter password:
true$ bch verify '$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW'
Enter password:
false- Passwords are read securely from stdin without echoing to the terminal
- The default work factor of 12 is considered secure for most applications as of 2025
- Bcrypt automatically handles salting - each hash is unique even for the same password
- Higher work factors provide better protection against brute-force attacks but increase CPU usage
go build -o bch bch.gogo fmt ./...go get -u ./...
go mod tidyMIT License - see LICENSE file for details.