Bcrypt Salt Rounds (Cost Factor) Explained
Learn what bcrypt salt rounds (cost factor) mean, how they affect hashing speed and security, and how to choose the right value. Includes benchmarks for cost factors 8 through 14 on modern hardware.
Detailed Explanation
Bcrypt Salt Rounds (Cost Factor) Explained
The cost factor (often called "salt rounds") is the single most important parameter when using bcrypt. It controls how many iterations the key derivation runs: the hash function executes 2^cost iterations of the Eksblowfish key schedule. Higher values produce slower hashes, making brute-force attacks exponentially harder.
How Cost Affects Speed
Each increment of the cost factor doubles the computation time:
| Cost | Iterations | Approx. Time (modern CPU) |
|---|---|---|
| 8 | 256 | ~1 ms |
| 10 | 1,024 | ~4 ms |
| 12 | 4,096 | ~15 ms |
| 13 | 8,192 | ~30 ms |
| 14 | 16,384 | ~60 ms |
| 16 | 65,536 | ~250 ms |
Times vary by CPU. These are approximate values for a modern x86-64 processor.
Choosing the Right Cost
The goal is to make hashing slow enough to deter brute-force attacks but fast enough to avoid degrading user experience:
- Minimum recommended: 10 — the default in most libraries, but increasingly considered the floor rather than the target
- Current best practice: 12–13 — provides a good balance between security and responsiveness for most web applications
- High-security applications: 14+ — suitable when login latency of 100ms+ is acceptable
The Decision Rule
Aim for a hash time of 250 ms or less per password on your production hardware. Measure with a benchmark on your actual server:
const bcrypt = require('bcrypt');
const start = Date.now();
bcrypt.hashSync('test-password', 12);
console.log(`Cost 12: ${Date.now() - start}ms`);
If the result is under 250 ms, you can consider increasing the cost. If it exceeds 1 second, reduce it.
Upgrading Cost Over Time
Hardware improves roughly following Moore’s Law. A cost factor that was adequate in 2015 may be insufficient today. Best practice is to rehash passwords on login when the stored cost is below your current target:
- User logs in with correct password
- Check the cost factor in the stored hash
- If below current target, rehash with the higher cost
- Store the new hash
This transparent upgrade ensures all active accounts migrate to stronger hashing without requiring password resets.
Common Mistakes
- Cost too low (< 10) — fast enough for attackers to brute-force at scale
- Cost too high (> 16) — causes login timeouts and denial-of-service vulnerabilities
- Hardcoding cost — store it as a configurable value so it can be updated without code changes
Use Case
Choosing the right cost factor is a decision every development team faces when implementing authentication. Too low and your password database is vulnerable to offline brute-force attacks if breached. Too high and legitimate users experience slow logins, and your servers become vulnerable to computational denial-of-service. Benchmarking on your production hardware and planning for periodic increases is the standard approach.