Bcrypt Cost Calculator

Frequently Asked Questions

What cost factor should I use today?

A common target is 100-300 ms per hash, which corresponds roughly to cost 12-14 on modern server hardware. Use this calculator to benchmark your actual environment and pick the highest cost whose latency your login flow can absorb.

Should I use bcrypt or Argon2?

Argon2id is the current best-practice recommendation because it is memory-hard, making it far more resistant to GPU and ASIC attacks than bcrypt's CPU-bound design. If starting a new system, prefer Argon2id.

How do I upgrade stored bcrypt hashes to a higher cost?

You cannot upgrade a stored hash without the original plaintext. The standard approach is to re-hash on the next successful login using the new cost factor and replace the stored hash.

Why does bcrypt resist GPU attacks?

Bcrypt's Blowfish key schedule requires frequent small-memory accesses that map poorly to GPU architectures, which excel at large parallel math operations.

Provided by AllCalculators.io
Free online calculators for everyday. No registration required.

Estimates for informational purposes only.

Important Disclaimer: Estimates for informational purposes only.

This calculator provides estimates for informational purposes only. Results are based on assumptions and may not reflect actual outcomes. Consult qualified professionals in relevant fields before making important decisions based on these results.

JavaScript is required to use the interactive calculator above. The questions and answers below remain readable without JavaScript.

How It Works

Bcrypt is a deliberately slow password-hashing function designed to resist brute-force attacks. Its cost factor (also called work factor or rounds) is an integer between 4 and 31 that controls how much work each hash requires: the internal Blowfish key-setup loop runs 2^cost iterations. Raising the cost by one doubles the time, which keeps password hashing painfully slow for attackers trying billions of guesses while remaining acceptable for a login endpoint handling one hash per sign-in.

This calculator converts a cost factor to the exact iteration count, estimates the time per hash based on a hashes-per-second benchmark on your specific hardware, projects how many guesses an attacker with the same speed could attempt per hour, and recommends the cost that lands closest to a sensible target hash time (commonly 100-300 ms).

Use Cases

Bcrypt cost tuning is relevant whenever passwords are stored or verified:

Selecting the initial cost factor when deploying a new authentication system on known hardware

Re-tuning the cost after migrating to faster servers, since faster hardware makes a fixed cost cheaper for attackers too

Justifying a cost increase to stakeholders by showing the attacker's guesses-per-hour at each level

Comparing bcrypt cost factors across environments (development laptop vs. production server) to avoid shipping an inadequate cost

Estimating the server-side login latency at each candidate cost before making a decision

Tips

Always benchmark on hardware equivalent to your production environment - a fast development laptop gives misleading results.

The cost factor is exponential, not linear: going from 10 to 13 is 8x more work (2³), not 30% more.

Setting cost too high exposes your login endpoint to denial-of-service by slow-hashing attacks; stay under ~500 ms per hash.

Revisit the cost every few years as hardware improves - a cost tuned in 2018 may be too cheap in 2026.

Bcrypt silently truncates passwords longer than 72 bytes; consider pre-hashing very long passwords with SHA-256 before bcrypt if your policy allows long passphrases.

FAQ

What cost factor should I use today?

Should I use bcrypt or Argon2?

Argon2id is the current best-practice recommendation because it is memory-hard, making it far more resistant to GPU and ASIC attacks than bcrypt's CPU-bound design. If you are starting a new system, prefer Argon2id. Bcrypt is still acceptable for existing systems where migration cost is high.

How do I upgrade stored bcrypt hashes to a higher cost?

You cannot upgrade a stored hash without the original plaintext. The standard approach is to re-hash the password on the next successful login using the new cost factor and replace the stored hash. Over time, active users migrate; dormant accounts keep the old cost until they next log in.

Why does bcrypt resist GPU attacks?

Bcrypt's Blowfish key schedule requires frequent small-memory accesses in a pattern that maps poorly to GPU architectures, which excel at large parallel math operations. This is why bcrypt's effective throughput on a GPU is only modestly higher than on a CPU - a key advantage over purely CPU-bound functions like MD5.

Bcrypt Cost Calculator

Frequently Asked Questions

Related Developer Tools Calculators