BCryptHash()
Generates a BCrypt password hash. Use this instead of the deprecated GenerateBCryptHash().
Requires Extension: Crypto Extension
BCryptHash( input=string, cost=numeric );
Returns: String
| Argument | Description | Default |
|---|---|---|
|
input
string,
required
|
edit
Password to hash |
|
|
cost
numeric,
optional
|
edit
Cost factor (4-31) |
10 |
Usage Notes
editBCrypt is a well-established password hashing algorithm with wide ecosystem support. It's the best choice when you need compatibility with Adobe ColdFusion or other platforms.
Cost factor: The default is 10. Each increment doubles the computation time. Cost 12 is a good starting point for production — aim for 0.5–1 second on your hardware. The maximum is 31 but anything above 15 will be very slow.
Password length limit: BCrypt silently truncates passwords at 72 bytes. If your application allows very long passwords, consider Argon2Hash() instead.
For new applications where ACF compatibility isn't needed, prefer Argon2Hash() which offers tuneable memory-hardness and no password length limit.
Replaces the deprecated GenerateBCryptHash().
Examples
edit// BCryptHash generates a salted hash - each call produces a different result
hash1 = BCryptHash( "my-secret-password" );
hash2 = BCryptHash( "my-secret-password" );
// hash1 != hash2 because BCrypt uses a random salt each time
// The default cost factor is 10. Higher cost = slower but harder to brute-force.
// Cost is exponential: cost 12 is 4x slower than cost 10.
hash = BCryptHash( "my-secret-password", 12 );
// Verify a password against a stored hash using BCryptVerify()
isValid = BCryptVerify( "my-secret-password", hash ); // true
isWrong = BCryptVerify( "wrong-password", hash ); // false
See also
- Cryptography
- BCryptVerify()
- GenerateBCryptHash()
- VerifyBCryptHash()
- Search Issue Tracker open_in_new
- Search Lucee Test Cases open_in_new (good for further, detailed examples)