# Bcrypt Hash Engine MCP MCP > The Bcrypt Hash Engine is an MCP that handles secure password storage. It uses bcrypt, the industry-standard method for hashing passwords with a unique salt. You can use it to hash new passwords or verify user logins against stored hashes without ever handling plaintext credentials. ## Overview - **Category:** security - **Price:** Free - **Tags:** bcrypt, hash, password, security, authentication ## Description Storing passwords in plain text? That's a huge security risk. This MCP fixes that by using bcrypt, which is what major platforms like Dropbox and GitHub rely on. It’s designed not just to store your password securely, but it also intentionally slows down the process; this makes brute-force attacks prohibitively slow for hackers. You don't need to manage salts manually either—the system handles all that automatically. By connecting this MCP through Vinkius, you give your agent a reliable way to handle user authentication data from anywhere, whether that’s in an IDE or an automated workflow. It lets you hash new credentials using configurable salt rounds and then check if a provided password matches the stored hash. You just get the boolean result: match or no match. ## Tools ### bcrypt_hash Hashes a password using bcrypt. It includes a unique salt and lets you set the computational cost (rounds). ### bcrypt_verify Checks if a given password matches an existing hash, returning a simple true/false boolean. ## Prompt Examples **Prompt:** ``` A new user just signed up. Hash their password 'MyS3cur3P@ss!' for secure storage in PostgreSQL. ``` **Response:** ``` Hash: $2a$10$N9qo8uLOickgx2ZMRZoMye... | 60 chars, salt embedded, ready for INSERT. ``` **Prompt:** ``` User is trying to log in. Check if their password matches the stored hash. ``` **Response:** ``` isMatch: true — password verified. Allow login. ``` **Prompt:** ``` Our compliance officer requires 12 salt rounds minimum. Re-hash this password with higher security. ``` **Response:** ``` Hash: $2a$12$... | 12 rounds, ~400ms computation time. Meets financial-grade requirements. ``` ## Capabilities ### Generate secure credential hashes It creates a salted, one-way cryptographic hash from a plain text password using configurable rounds. ### Validate credentials against stored hashes You pass in a potential password and the existing hash; it confirms if they match without exposing either secret. ## Use Cases ### Handling a New User Signup A new user signs up with the password 'Summer2024!'. Your agent calls `bcrypt_hash` to generate the hash. You receive the secure string, which you store in PostgreSQL instead of the raw password. The system is now compliant and safe. ### Validating a Login Attempt A user tries logging in with their password. Your agent passes the input password and the stored hash to `bcrypt_verify`. It returns `isMatch: true`, confirming the login is legitimate, or false if they entered something wrong. ### Meeting Compliance Standards The compliance officer mandates that all financial system passwords must use 12 salt rounds minimum. You can call `bcrypt_hash` and explicitly set the cost to 12, proving you meet regulatory requirements for computational difficulty. ### Integrating into an Agent Workflow Your agent is writing a user registration script. It uses the MCP to hash the password and then executes database insertion logic using the resulting secure string, all within one automated workflow. ## Benefits - You eliminate plaintext passwords. Instead of storing 'MyPassword123', you store a complex, salted string that can't be reversed, drastically limiting the impact if your database is compromised. - The configurable cost allows you to raise security levels when required—use 14+ rounds for systems handling highly sensitive data, meeting strict compliance needs. - You use dedicated tools like `bcrypt_hash` and `bcrypt_verify`, ensuring that verification happens correctly. You never compare two hashes directly; the process is always password-against-hash. - Because it runs on pure JavaScript, this MCP works everywhere—Edge, Lambda, Cloudflare Workers—without needing native compilation or complex build steps. - It handles salt management automatically. Every hash gets a unique random salt built in, so you never have to worry about tracking or manually managing them. ## How It Works The bottom line is that you get a durable, tamper-resistant hash instead of a readable password. 1. Provide the plain text password you need to store, along with desired security rounds (e.g., 12 for finance). 2. The MCP runs the hashing algorithm, which incorporates a unique salt and applies the specified computational cost. 3. You receive the final, salted hash string, ready for database storage. ## Frequently Asked Questions **How do I generate a hash with the bcrypt_hash tool?** You pass the plain text password and specify the salt rounds you want to use (e.g., 12). The MCP returns the complete, salted hash string ready for your database. **Can I verify a user login using bcrypt_verify?** Yep. You pass in two things: the password the user provided, and the stored hash from your database. The tool returns true if they match, or false otherwise. **Is this MCP safe to use for all my services?** Yes. It uses bcrypt, which is an industry standard designed specifically for password hashing. It's a robust method that resists common brute-force attacks. **Does bcrypt_hash require native compilation?** Nope. This MCP runs on pure JavaScript (bcryptjs), so it works in environments like Edge and Cloudflare Workers without any tricky node-gyp or compilation steps. **How do I determine the correct salt round cost when using the bcrypt_hash tool?** You should choose a cost that balances security against your required response time. Financial or government systems usually require 12 rounds or higher, which adds computational overhead but drastically increases brute-force resistance. **Why is it wrong to compare hashes manually when using the bcrypt_verify tool?** You must always use `bcrypt_verify` because comparing two hashes directly exposes timing vulnerabilities. The built-in function handles the necessary slow, constant time comparison required for security. **Since this MCP is pure JavaScript, where can I run it without compilation issues?** Because it uses bcryptjs and requires no native compilation, you can deploy this MCP in modern serverless environments like Cloudflare Workers, AWS Lambda, or Edge functions. **What is the recommended balance between high security and reasonable latency when using the bcrypt_hash tool?** The default of 10 rounds provides a good starting point for most applications. If speed becomes critical, you can lower it, but remember that increasing the cost factor directly boosts resistance against attackers.