XConvert
Downloads
Pricing

Generate SCRYPT Online

Create SCRYPT output quickly with a client-only generator that runs in your browser—no installs required.

Input
Parameters
RFC 7914 recommends ≥ 14
Scrypt hash (hex)
Hash will appear here once you click Hash.

How to Generate a Scrypt Hash Online

  1. Enter Your Password or Passphrase: Type or paste the string you want to hash. The input never leaves your browser — everything runs locally in WebAssembly.
  2. Set N, r, and p Parameters: N is the CPU/memory cost (must be a power of 2; common values 2^14 / 2^15 / 2^17). r is the block size (8 is standard). p is the parallelization factor (1 for password storage). For OWASP-compliant password hashing, use N=2^17, r=8, p=1.
  3. Provide a Salt and Key Length (Optional): Paste a salt or click Generate to create a random 16-byte salt. Set output length in bytes (32 or 64 are typical). Pick output encoding (hex or base64).
  4. Click Generate and Copy: The derived key appears below. No sign-up, no upload, no server round-trip — clear the page and the data is gone.

Why Use Scrypt for Password Hashing?

Scrypt is a memory-hard password-based key derivation function (KDF) designed by Colin Percival in March 2009 and standardized as RFC 7914 in 2016. Unlike PBKDF2 and bcrypt, scrypt deliberately uses large amounts of RAM during computation so that attackers cannot cheaply parallelize attacks on GPUs, FPGAs, or ASICs — the memory bandwidth becomes the bottleneck.

  • Memory-hard defense against GPU/ASIC cracking — Scrypt's internal mixing requires roughly 128 * N * r * p bytes of RAM per hash. At N=2^17, r=8, p=1 that's ~128 MiB per attempt, making custom-silicon attacks economically impractical compared to bcrypt.
  • OWASP-recommended fallback when Argon2id is unavailable — The OWASP Password Storage Cheat Sheet lists scrypt as the second choice after Argon2id and ahead of bcrypt/PBKDF2.
  • Built into Node.js, OpenSSL, and most modern crypto libraries — crypto.scrypt() ships with Node 10+, OpenSSL 1.1+ exposes EVP_KDF-SCRYPT, and there are mature implementations for Go, Python, Rust, and Java without extra dependencies.
  • Cryptocurrency proof-of-work heritage — Litecoin and Dogecoin use scrypt as their PoW; the algorithm has been battle-tested at internet scale for over a decade.
  • Verifiable, tunable, deterministic — Same password + salt + parameters always yield the same derived key, so you can re-derive in any compliant library and check matches without a fresh round-trip.
  • Ideal for disk encryption and key derivation, too — Tools like Tarsnap (Percival's own product) use scrypt to turn passphrases into AES keys, not just to store password verifiers.

Scrypt vs Argon2id vs Bcrypt — Algorithm Comparison

Property scrypt Argon2id bcrypt
Year published 2009 (RFC 7914 in 2016) 2015 (PHC winner) 1999
Memory-hard Yes (configurable) Yes (configurable) No (fixed ~4 KiB)
GPU/ASIC resistance Strong (RAM-bound) Strongest (RAM + side-channel resistant) Weak — GPUs accelerate ~30x
Tunable parameters N (CPU/mem), r (block), p (parallel) memory, iterations, parallelism cost factor (work)
Max password length Unlimited Unlimited 72 bytes (silently truncated)
OWASP 2024 ranking #2 fallback #1 recommended #3 legacy only
Standardized as RFC 7914 RFC 9106 No formal RFC
Built-in to Node.js Yes (crypto.scrypt) No (needs argon2 package) No (needs bcrypt package)

For new applications in 2026, use Argon2id unless your runtime can't support it. For legacy systems already on bcrypt, don't migrate without need — just raise the cost factor.

OWASP-Recommended Scrypt Parameter Sets

Profile N r p Memory per hash Use case
Maximum 2^17 (131,072) 8 1 ~128 MiB OWASP default; high-security backends
Balanced 2^16 (65,536) 8 2 ~64 MiB × 2 Web apps with moderate auth load
Standard 2^15 (32,768) 8 3 ~32 MiB × 3 General-purpose password storage
Interactive 2^14 (16,384) 8 5 ~16 MiB × 5 Latency-sensitive logins
Constrained 2^13 (8,192) 8 10 ~8 MiB × 10 Embedded / low-memory environments

All five rows are published in the OWASP Password Storage Cheat Sheet — they're equivalent in total work, just distributed differently between memory and parallel cores. Pick the row whose memory cost matches what your auth server can spare per concurrent login.

Frequently Asked Questions

Should I use scrypt or Argon2id in 2026?

Use Argon2id if your platform supports it. The Password Hashing Competition selected Argon2 as the winner in July 2015 after a multi-year public review, and OWASP, NIST SP 800-63B-4, and IETF RFC 9106 all now position Argon2id as the default choice for password storage. The OWASP 2024 Password Storage Cheat Sheet recommends Argon2id with a preferred profile of m=46 MiB (46080), t=1, p=1 and a minimum of m=19 MiB (19456), t=2, p=1. Scrypt remains a perfectly acceptable second choice — it's memory-hard, well-studied, and battle-tested — but Argon2id resists side-channel attacks that scrypt does not, thanks to its hybrid data-dependent/independent mode.

How much memory does scrypt actually use?

The working-set RAM is approximately 128 * N * r * p bytes per hash. At the OWASP-recommended N=2^17, r=8, p=1, that's 128 * 131,072 * 8 * 1 = 134,217,728 bytes, or 128 MiB per concurrent hash operation. At the constrained profile (N=2^13, r=8, p=10), it's ~8 MiB per parallel lane × 10 lanes = ~80 MiB total. Plan capacity around peak concurrent logins, not total user count.

Why is scrypt better than PBKDF2 for password storage?

PBKDF2 is CPU-hard but not memory-hard. An attacker with a $5,000 consumer GPU can compute billions of PBKDF2-SHA256 hashes per second because each guess fits in a few hundred bytes of GPU register memory. Scrypt forces each guess to allocate tens or hundreds of megabytes of RAM that must be randomly accessed throughout the computation — GPUs run out of memory bandwidth long before they exhaust CPU. PBKDF2 remains acceptable only when FIPS-140 compliance is mandatory and no memory-hard alternative is approved.

Do I need a salt, and how long should it be?

Yes — always. A salt prevents two users with the same password from getting the same hash, defeats rainbow tables, and stops attackers from amortizing cracking work across an entire database. The salt must be unique per credential (not per application) and generated from a cryptographically secure source like crypto.randomBytes or /dev/urandom. 16 bytes (128 bits) is the standard minimum; 32 bytes is fine if you want extra margin. The salt is not secret — store it alongside the hash.

What should the derived key length be?

For password verification, 32 bytes (256 bits) is plenty — any longer and you're just storing extra bytes that don't increase security beyond the underlying primitive. If you're using scrypt as a key derivation function to feed AES-256-GCM, AES-256-CBC, or another 256-bit cipher, 32 bytes matches the cipher key size exactly. For ChaCha20-Poly1305 use 32 bytes; for combined encrypt + MAC schemes you may want 64 bytes split into two halves.

Can scrypt hashes be cracked?

Weak passwords can always be cracked given enough time — scrypt slows the attacker down but doesn't make brute force impossible. The point of memory-hardness is to convert what would be a $1,000 GPU rig attack into a $50,000+ memory-bandwidth attack, buying you orders of magnitude more time. A 12-character random password hashed with OWASP-recommended scrypt parameters is computationally infeasible to brute force on any hardware available in 2026. An 8-character dictionary word, however, remains crackable in hours — no KDF saves you from bad password policy.

What does the scrypt output look like, and how do I store it?

Scrypt returns a raw byte string of whatever length you requested. Most libraries serialize the full record as a PHC-style string: $scrypt$ln=17,r=8,p=1$<base64-salt>$<base64-hash>. Storing the parameters alongside the hash lets you upgrade cost over time — when N=2^17 stops being enough, you can verify old hashes at their original parameters and rehash at the new level on next login. Browser-based tools like the Authgear password hash generator and most server-side auth libraries follow this serialization convention so hashes are portable across implementations.

Why did you build this as a client-side tool?

Because pasting production secrets into a remote API is a security mistake. This page runs the scrypt reference implementation compiled to WebAssembly entirely inside your browser tab. No request body containing your password is ever sent to xconvert servers — you can verify this by opening DevTools, switching to the Network tab, and clicking Generate. Use this generator for development, testing, parameter tuning, and educational purposes; for production password storage, call scrypt server-side from your auth backend with the same parameters.

Is scrypt approved for FIPS or government use?

Scrypt itself is not on the NIST FIPS 140-3 approved algorithm list as of 2026, which makes it inappropriate for some US federal and regulated-industry applications. NIST SP 800-63B-4 lists PBKDF2 as the FIPS-approved password hashing option, while acknowledging memory-hard KDFs (Argon2, scrypt) as cryptographically stronger. If you're building for a regulated environment, check your compliance requirements before choosing scrypt; for everything else, scrypt or Argon2id are stronger choices than PBKDF2.

Related Generate tools
Nanoid GeneratorUlid GeneratorKsuid GeneratorFake Name GeneratorFake Email GeneratorFake Address GeneratorFake Phone GeneratorRandom Ip

Image Tools

Image CompressorCompress JPEGCompress PNGCompress GIFCompress WebPImage ConverterJPG ConverterImage Resizer

Video Tools

Video CompressorCompress MP4MP4 to GIFVideo to GIFVideo ConverterMP4 ConverterVideo Cutter

Audio Tools

Audio CompressorCompress MP3Compress WAVAudio ConverterMP3 ConverterFLAC to MP3Audio Cutter

Document Tools

Compress PDFMerge Images to PDFSplit PDFPDF to JPGUnzip FilesRAR Extractor
© 2026 XConvert.com. All Rights Reserved.
About UsPrivacy PolicyTerms of ServiceContactHelp Us Grow