bcrypt Cost Factor and Security
Understand bcrypt's cost factor parameter and how it determines hashing speed. Learn recommended cost values for 2024, how to benchmark on your hardware, and when to migrate to Argon2id.
Detailed Explanation
What Is bcrypt?
bcrypt is a password hashing function designed in 1999 by Niels Provos and David Mazieres. Its critical feature is an adjustable cost factor (also called work factor or rounds) that controls how computationally expensive each hash operation is. As hardware gets faster, you increase the cost factor to maintain the same level of security.
How the Cost Factor Works
The cost factor is a single integer (typically 4-31) that determines the number of iterations:
iterations = 2^cost
| Cost | Iterations | Approx. Time (modern CPU) |
|---|---|---|
| 10 | 1,024 | ~80 ms |
| 11 | 2,048 | ~160 ms |
| 12 | 4,096 | ~320 ms |
| 13 | 8,192 | ~640 ms |
| 14 | 16,384 | ~1.3 s |
Each increment doubles the computation time.
Recommended Cost Factors
| Year | Minimum Cost | Recommended Cost | Notes |
|---|---|---|---|
| 2015 | 10 | 12 | Baseline era |
| 2020 | 11 | 12-13 | GPU improvements |
| 2024 | 12 | 13-14 | Current recommendation |
| 2028+ | 13+ | 14+ | Projected |
The target: hashing should take 250ms-1s on your production server hardware. This is fast enough for user login but slow enough to cripple attackers.
Attacker Performance at Different Costs
Single RTX 4090 GPU cracking bcrypt:
| Cost | Hashes/Second | Time to Crack 40-bit Entropy |
|---|---|---|
| 10 | ~1,500/s | ~10 hours |
| 12 | ~150/s | ~100 hours |
| 14 | ~18/s | ~35 days |
| 16 | ~2/s | ~280 days |
Even moderate passwords become extremely expensive to crack at cost 12+.
bcrypt Anatomy
A bcrypt hash string contains all the information needed for verification:
$2b$12$LJ3m4ys8Lz.weHGKxjYqOeqX7VPZyFhN.RzHPFqK9RVE3bDGXKPi
│ │ │ │
│ │ │ └── Hash (31 chars)
│ │ └── Salt (22 chars, Base64)
│ └── Cost factor (12)
└── Algorithm version (2b)
The embedded salt means no two users share a hash even with identical passwords — defeating rainbow table attacks entirely.
bcrypt vs Argon2id
While bcrypt remains widely used and secure, Argon2id (winner of the 2015 Password Hashing Competition) offers advantages:
| Feature | bcrypt | Argon2id |
|---|---|---|
| CPU-hard | Yes | Yes |
| Memory-hard | No (4 KB fixed) | Yes (configurable) |
| GPU resistance | Moderate | Strong |
| ASIC resistance | Low | High |
| Parallelism control | No | Yes |
| Max password length | 72 bytes | Unlimited |
Argon2id's memory-hardness makes GPU and ASIC attacks far more expensive. New projects should prefer Argon2id, while bcrypt at cost 12+ remains acceptable for existing systems.
Migration Strategy
If upgrading from an older cost factor or algorithm:
- On next login: re-hash the password with the new cost/algorithm
- Flag accounts that have not logged in for re-hash
- Never store plaintext — you cannot bulk-migrate without user interaction
- Set a deadline: force password reset for accounts that have not re-hashed within a defined period
Use Case
bcrypt cost factor knowledge is essential for backend developers implementing authentication, DevOps engineers configuring identity providers, and security auditors evaluating stored credential protection. Choosing the right cost factor directly determines how long attackers need to crack passwords from a stolen database — making it one of the most impactful server-side security decisions.