Bcrypt Salt Rounds Time Calculator
Bcrypt deliberately slows password hashing by running 2 raised to the cost factor key-setup iterations. Because each increase of one in the cost factor doubles the work, you can predict the hashing time at any cost from a single measurement on your hardware. This calculator scales your measured baseline time to a target cost, and reports the time per hash and how many hashes per second an attacker (or your server) could compute. The baseline time is a user input because bcrypt speed depends entirely on the machine and library.
Bcrypt cost scaling formula
iterations = 2^(target cost)
slowdown = 2^(target cost - baseline cost)
time per hash (ms) = baseline time * slowdown
hashes per second = 1000 / time per hash (ms)
The doubling factor 2^(target - baseline) follows directly from bcrypt running 2^cost rounds. Provide a measured baseline time at a known cost on your hardware; the result scales exactly to the target cost.
Bcrypt cost context
- The cost factor is a logarithm: cost 12 means 2^12 = 4,096 key-setup rounds.
- Each cost increment doubles the work and the time to hash.
- Bcrypt time is hardware and library dependent, so the baseline is a user input.
- Tune cost so one hash takes a few hundred milliseconds, then revisit as hardware speeds up.
- Output length (60 chars) and salt size (128 bits) do not change with cost.
Bcrypt salt rounds: frequently asked questions
What is the bcrypt cost factor?
The cost factor (also called salt rounds or work factor) is the base-2 logarithm of the number of key-setup iterations bcrypt performs: 2^cost rounds. A cost of 12 means 2^12 = 4,096 iterations. Each increment of one doubles the work and so roughly doubles the time to hash.
How does this calculator estimate time?
Because work doubles per cost increment, hashing time at a target cost equals your measured baseline time multiplied by 2 raised to (target cost minus baseline cost). Enter a time you measured at a known cost on your hardware, and it scales to any other cost.
Why must I supply a baseline time?
Bcrypt speed depends entirely on the CPU, language and library, so there is no universal milliseconds figure. We never hardcode hardware performance. Measure how long one hash takes at a known cost on your system, enter both, and the calculator scales accurately.
What cost factor should I choose?
Pick the highest cost whose hashing time is acceptable for your login latency, commonly tuned so a single hash takes a few hundred milliseconds. Higher cost slows attackers proportionally. Re-tune as hardware gets faster; this calculator helps you find the cost that hits a target time.
Does a higher cost change the hash length?
No. The bcrypt output is always 60 characters and the salt is always 128 bits regardless of cost. The cost only changes how much computation is needed, which is exactly the point: it makes brute-force guessing slower without changing storage.
Official sources
- NIST: Digital Identity Guidelines (SP 800-63B) on memorised secrets.
- NIST glossary: password hashing and work factor definitions.
Reviewed by the CalculatorHub team, edited by James Graham, 17 June 2026. See our methodology.