# BCryptVerify()

Verifies a password against a BCrypt hash. Use this instead of the deprecated VerifyBCryptHash().

**Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D)

```
BCryptVerify( input=string, hash=string, throwOnError=boolean );
```

**Returns:** boolean

# Arguments

| Argument | Type | Required | Description | Default |
|----------|------|----------|-------------|---------|
| input | string | Yes | Password to verify |  |
| hash | string | Yes | BCrypt hash to check against |  |
| throwOnError | boolean | No | If true, throws an exception on invalid hash format instead of returning false | false |

# Usage Notes

The cost factor is encoded in the hash, so you don't need to specify it when verifying. This means you can increase the cost over time and existing hashes will still verify correctly.

By default, invalid or malformed hashes return `false`. Pass `throwOnError=true` if you want an exception instead.

Replaces the deprecated [VerifyBCryptHash()](verifybcrypthash.md).

# Examples

```cfml
// Hash a password at registration time
hash = BCryptHash( "user-password" );
// Store 'hash' in your database

// At login, verify the password against the stored hash
isValid = BCryptVerify( "user-password", hash ); // true
isWrong = BCryptVerify( "wrong-password", hash ); // false

// Invalid hashes return false by default (no exception thrown)
result = BCryptVerify( "password", "not-a-valid-hash" ); // false

// Pass throwOnError=true to get an exception on invalid hashes instead
try {
	BCryptVerify( "password", "not-a-valid-hash", true );
} catch ( e ) {
	// handle the error
}
```







# Categories

[Cryptography](../../categories/crypto.md)

# See Also

[BCryptHash()](bcrypthash.md), [GenerateBCryptHash()](generatebcrypthash.md), [VerifyBCryptHash()](verifybcrypthash.md)