Bcrypt Cost Factor Calculator
Bcrypt is an adaptive password-hashing function designed by Niels Provos and David Mazieres in 1999. Its defining feature is the cost factor: a parameter that sets the number of iterations to 2^cost. Doubling the cost adds one to the cost factor and doubles the hashing time, making it easy to scale difficulty as hardware improves. This calculator shows the number of iterations for a given cost factor, estimates the time per hash based on your hardware benchmark, and calculates the approximate GPU-hours required to crack a password hash, helping you choose an appropriate cost factor for your application's security requirements.
Bcrypt cost formula
Iterations = 2cost
Time per hash (ms) = 1,000 / hash rate (hashes/s)
Cost 10: 1,024 iterations
Cost 12: 4,096 iterations
Cost 14: 16,384 iterations
The OWASP Password Storage Cheat Sheet recommends a cost factor that results in hashing taking approximately 1 second on the server hardware. This makes interactive login tolerable for legitimate users while making mass cracking of stolen hashes extremely expensive.
Cost factor reference table
- Cost 4: 16 iterations. Minimum valid bcrypt cost. Far too fast for password storage.
- Cost 10: 1,024 iterations. OWASP minimum. Approximately 100ms on typical server hardware.
- Cost 12: 4,096 iterations. Good balance for most applications circa 2024.
- Cost 14: 16,384 iterations. Suitable for high-security applications where login latency of 1-2 seconds is acceptable.
- Cost 16: 65,536 iterations. Very high security but login may take several seconds. Use for offline key derivation.
Bcrypt cost factor calculator: frequently asked questions
What is the bcrypt cost factor?
The bcrypt cost factor (also called the work factor) is an integer that controls the number of iterations: iterations = 2^cost. A cost of 10 means 1,024 iterations; a cost of 12 means 4,096 iterations. Higher cost means slower hashing, which makes brute-force attacks more expensive.
What bcrypt cost factor does OWASP recommend?
OWASP's Password Storage Cheat Sheet recommends a cost factor of 10 as a minimum, and adjusting upward so that hashing takes approximately 1 second on your hardware. As hardware gets faster, the cost factor should be increased periodically to maintain the 1-second target.
How does bcrypt compare to Argon2 for password hashing?
Both are intentionally slow password-hashing functions. bcrypt has been widely used since 1999 and is battle-tested. Argon2 (winner of the 2015 Password Hashing Competition) adds memory-hardness, making it harder to parallelize on GPUs and ASICs. NIST SP 800-63B mentions Argon2, scrypt, and bcrypt as acceptable choices.
Can bcrypt be parallelized on GPUs to crack passwords faster?
bcrypt is harder to parallelize on GPUs than MD5 or SHA-256 because it requires more memory and has data-dependent memory access patterns. However, specialized hardware can still attack bcrypt at thousands of hashes per second, which is why the cost factor must be set appropriately and increased over time.
What happens if the bcrypt cost factor is too low?
A low cost factor (such as 4 or 6) means hashing is very fast, making it cheap for an attacker to brute-force stolen hashes. OWASP recommends cost 10 as a minimum. A cost factor of 4 (the bcrypt minimum) produces 16 iterations, which modern hardware can compute millions of times per second.
Official sources
- NIST SP 800-63B Digital Identity Guidelines (Section 5.1.1.2 Memorized Secret Verifiers): pages.nist.gov/800-63-3/sp800-63b.html.
- NIST SP 800-132 Recommendation for Password-Based Key Derivation: csrc.nist.gov.
Reviewed by the CalculatorHub team, edited by James Graham, 15 June 2026. See our methodology.