Tecnología

bcrypt Cost Factor: Time per Hash & Cracking Resistance

Q: How much does increasing the bcrypt cost by 1 change the hashing time?

Each increment of 1 in the cost factor **exactly doubles** the hashing time, because the round count is 2^cost, not a linear count. Using a ~65 ms reference at cost=10: cost=11 ≈ 130 ms, cost=12 ≈ 260 ms, cost=13 ≈ 520 ms, cost=14 ≈ 1,040 ms. This exponential doubling applies **equally to defenders and attackers** — every +1 halves the attacker's brute-force throughput on the same hardware. That balance is exactly what keeps bcrypt relevant: as hardware speeds up, you raise the cost by 1 to restore the original difficulty.

Q: How long does bcrypt take per hash at cost=12?

On a modern single CPU core, cost=12 takes roughly **250-260 ms per hash**, which works out to about **3.8 hashes per second** per core. This matches OWASP's rule of thumb that cost=12 sits in the few-hundred-millisecond range. The exact number depends on your CPU: a fast desktop core may do ~150 ms, while a burstable cloud VM under sustained load may take 600-900 ms once CPU credits are exhausted. Always measure cost=12 on your own production hardware before committing — the figure here is a reference, not a guarantee.

Q: Why can't GPUs crack bcrypt as fast as they crack MD5 or SHA-256?

bcrypt's Blowfish key schedule requires approximately **4 KB of working memory** per hash (the 18-element P-array plus four 256-element S-boxes of 32-bit words, all read and written every round). GPU cores have very limited fast cache per thread, so parallelizing bcrypt across thousands of GPU threads causes heavy memory-bandwidth contention and serialization, killing throughput. An NVIDIA RTX 4090 does roughly **164 billion MD5 hashes per second** but only **a few thousand to ~21,000 bcrypt hashes per second** depending on cost factor — a slowdown of millions of times. This memory-hardness is by deliberate design and is what makes bcrypt resilient against commodity GPU attackers.

Q: How do I migrate a database from cost=10 to cost=12 without disrupting users?

Use **opportunistic rehashing on login**. When a user authenticates successfully: (1) verify the password against the stored hash regardless of its cost; (2) read the stored cost — it's encoded in the hash (the `$2b$10$...` prefix means cost=10); (3) if it's below your current minimum, rehash the plaintext (which you hold momentarily during auth) at the new cost and update the DB record atomically. **No bulk migration or downtime is needed** — the upgrade happens passively as users log in over days or weeks. Inactive accounts stay at the old cost until their next login, which is acceptable since they face lower attack pressure.

Q: Should I use bcrypt, Argon2id, or scrypt in 2026?

**OWASP's 2025-2026 ranking puts Argon2id first**, then scrypt, then bcrypt. **Argon2id** (winner of the 2015 Password Hashing Competition) is memory-hard with **tunable memory AND time parameters** (≈19 MiB and 2 iterations is a common 2026 baseline), has no 72-byte limit, and resists GPU/ASIC attacks better. **scrypt** (2009) is also memory-hard and well-vetted. **bcrypt** is the oldest of the three and slightly weaker against GPUs, but is **universally supported across every major language**, has 25+ years of cryptanalysis with no practical breaks, and is a pragmatic choice when Argon2id libraries are unavailable. **Never use** MD5, SHA-1, plain SHA-256/512, or unsalted hashes for passwords.

Q: How does bcrypt prevent rainbow-table attacks?

bcrypt incorporates a cryptographic **salt**: a 128-bit random value generated per password at hashing time and stored in the standard output format (`$2b$cost$22-char-salt$31-char-hash`). The salt feeds into the Blowfish key schedule, so **two identical passwords produce completely different hashes**. A rainbow table precomputes hash→password mappings for a fixed function, but a unique 128-bit salt invalidates any precomputed table — an attacker would need a separate table for **every possible salt** (2^128 ≈ 3.4 × 10^38), which is infeasible by many orders of magnitude. Salts force attackers into per-account brute-force, which is exactly where bcrypt's slowness does its job.

Q: What CPU/server specs should I benchmark bcrypt on before choosing a production cost?

**Always benchmark on production hardware under expected load**, not a dev laptop. Key variables: **CPU architecture** (ARM vs x86, server- vs consumer-grade), **sustained clock speed** (Turbo Boost won't engage under high-concurrency hashing), **cores dedicated to auth** (not contended by app threads), and whether the VM is **burstable** (AWS t-series CPU credits exhaust under sustained load, dropping you to baseline). A useful heuristic: pick the highest cost where time per hash stays under **~300 ms on production hardware at peak concurrency**. On most 2-4 vCPU cloud VMs (AWS c-series, GCP n2, Azure D-series), cost=12 lands around 200-300 ms. On ARM (Graviton, Ampere), expect 2-3× slower than x86 at the same cost.

Q: What does a bcrypt hash look like and how do I read the cost from it?

A bcrypt hash is a 60-character ASCII string like `$2b$12$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy`. Decoded: `$2b$` (also `$2a$`, `$2y$`) is the **version identifier** (`2b` is the current canonical variant since 2014); `12$` is the **cost factor** (here cost=12, a two-digit decimal); the next 22 characters are the **base64-encoded 128-bit salt**; the final 31 characters are the **base64-encoded hash output**. To read the cost in code, parse the two digits before the second `$`. Library helpers — `bcrypt.getRounds()` in Node.js, `passlib.identify()`/`bcrypt__ident` in Python, `password_get_info()` in PHP — do this for you.

Calculate bcrypt time per hash by cost factor (work factor / rounds). See ms per hash, hashes/sec and the OWASP-recommended cost for 2026, with a full reference table.

🗓️ Updated June 2026 Reviewed by Martín Rodríguez

Calculator Free · Private

Reviewed by: Martín Rodríguez (editorial policy ) · Last reviewed: Jun 20, 2026

Cost factor (rounds = 2^cost)*

🧮 Keep calculating

Calculate Password Cracking TimeFree password cracking time estimator. See how long to brute-force any password based on length and character set. Updated for 2026.Calculate Your AWS EC2 Monthly CostsFree AWS EC2 monthly cost calculator. Instantly estimate your cloud instance costs with current pricing data.Calculate Your Monthly LLM API CostsEstimate monthly LLM API costs by token usage. Free calculator for Claude, OpenAI & more. Updated 2026.Calculate 3D Printing Costs Per PartMaterial, electricity, printer wear & profit margin. Free cost breakdown tool.

Have a website? Embed this calculator for free Free — copy the code and paste it on your website Embed on your site

<iframe src="https://hacecuentas.com/embed/hashes-bcrypt-costo-tiempo-cracking" width="100%" height="560" style="border:1px solid #e2e8f0;border-radius:12px;max-width:720px" loading="lazy" title="bcrypt Cost Factor: Time per Hash & Cracking Resistance"></iframe>
<p style="font-size:13px;text-align:center;margin:8px 0">Powered by <a href="https://hacecuentas.com" target="_blank" rel="noopener">Hacé Cuentas</a> — <a href="https://hacecuentas.com/hashes-bcrypt-costo-tiempo-cracking" target="_blank" rel="noopener">bcrypt Cost Factor: Time per Hash & Cracking Resistance</a></p>

Preview →

Paste it on your site. Keep the credit link — thanks for sharing. More widgets →

bcrypt is a password-hashing function designed by Niels Provos and David Mazières in 1999, originally for OpenBSD, and built on the Blowfish cipher key schedule. Unlike fast cryptographic hashes such as MD5, SHA-1 or SHA-256, bcrypt is intentionally slow: its cost factor (also called the work factor or rounds parameter) controls exactly how slow it is, and therefore how expensive it becomes for an attacker to brute-force a stolen hash database.

The cost factor is an exponent of base 2: cost=N means bcrypt performs 2^N internal key-expansion rounds. So cost=10 runs 1,024 rounds, cost=12 runs 4,096 rounds, cost=14 runs 16,384 rounds, and so on. Each +1 in cost exactly doubles the hashing time — both for legitimate logins on your server and for an attacker cracking the hash offline. The bcrypt specification allows costs from 4 to 31, but practical values for password hashing in 2026 are between 10 and 14.

On a modern single CPU core (AMD EPYC / Intel Xeon / consumer x86, 2024-2026 generation), a useful reference point is ~65 ms per hash at cost=10. From there it doubles cleanly: cost=12 ≈ 260 ms, cost=14 ≈ 1,040 ms (≈1 second). OWASP's 2025-2026 Password Storage Cheat Sheet sets the recommended bcrypt floor at cost=10, with cost=12 widely used as the modern default because it lands in the ~250 ms range — fast enough for user logins, slow enough to make offline brute-force economically prohibitive on commodity GPU hardware.

bcrypt has three important properties beyond raw slowness: (1) a built-in 128-bit random salt per password, generated automatically and stored alongside the hash, which makes rainbow-table attacks infeasible; (2) modest memory hardness — bcrypt's Blowfish key schedule needs ~4 KB of working state (the P-array and four 1-KB S-boxes), which severely limits GPU and ASIC parallelism compared to MD5; (3) a 72-byte truncation limit on the input password, a quirk of the original spec you must work around for very long passphrases.

This calculator estimates the wall-clock time per hash at any cost factor on a reference modern CPU core, plus approximate throughput in hashes per second and a security recommendation tuned to 2026 hardware. Always benchmark on your production hardware before committing a cost factor to production: a MacBook Pro dev machine can be 3-5× faster than a burstable cloud VM under sustained load, and ARM (Graviton, Ampere) is typically 2-3× slower than x86 at the same cost.

When to use this calculator

Backend engineer setting a secure bcrypt cost factor for a new SaaS authentication system, targeting ~200-300 ms per login on the production cloud VM without degrading UX. The calc shows cost=12 ≈ 260 ms (the common default) and cost=11 ≈ 130 ms.
Security team auditing a legacy PHP app using cost=8 (~16 ms, considered insecure) and quantifying the migration cost: rehashing 2 million stored hashes at cost=12 (260 ms each) requires ~520,000 CPU-seconds — about 6 days on a single core, or ~18 hours parallelized across 8 cores.
Capacity planner for a high-traffic banking login endpoint estimating concurrent bcrypt verifications per server: at cost=12 (260 ms/hash) and 8 cores dedicated to auth, the theoretical ceiling is ~31 logins/second; peak traffic of 20 logins/sec leaves comfortable headroom.
Pentester estimating attacker cracking speed on a 4× NVIDIA RTX 4090 rig (each card does a few thousand bcrypt/s at cost=12) against a stolen hash table; for an 8-char random alphanumeric password (62^8 combinations) the average case runs into decades, illustrating why bcrypt slowness matters.
DevOps engineer setting an opportunistic rehash policy: on successful login, if the stored hash uses a cost below your minimum, transparently rehash the plaintext at the new cost and update the DB. The calc helps justify the chosen minimum given current hardware.
Compliance auditor checking PCI-DSS requirement 8.3.2 (render passwords unreadable using strong cryptography) for a payment processor: bcrypt cost=12 comfortably satisfies the rule for 2025-2026; cost=8 raises an audit finding.
CTO evaluating Argon2id vs bcrypt for a new mobile-backend API: bcrypt is universally supported in Node.js, Python, Go, Ruby, Rust and PHP, has 25+ years of cryptanalysis with no practical breaks, and the calc shows cost=12 ≈ 260 ms at acceptable cost — a pragmatic choice when Argon2id libraries are unavailable.
Embedded systems developer prototyping authentication for an ARM Cortex-A53 IoT device: the same cost=12 that runs in ~260 ms on x86 takes 600-900 ms on the ARM SBC. The calc helps choose cost=10 or 11 as a compromise between security and UX on lower-power hardware.

bcrypt Cost Factor: Rounds, Time & Security Rating (2026 Reference)

Cost	Rounds (2^cost)	Time/hash (1 CPU core)	CPU hashes/s	GPU hashes/s (RTX 4090, approx)	Security rating (2026)
8	256	~16 ms	~62	~350,000	❌ Insecure
10	1,024	~65 ms	~15	~21,000	✅ OWASP minimum
11	2,048	~130 ms	~7.7	~10,500	✅ Good
12	4,096	~260 ms	~3.8	~5,250	✅ Recommended default
13	8,192	~520 ms	~1.9	~2,625	✅ Strong
14	16,384	~1,040 ms (~1 s)	~1.0	~1,312	✅ Very strong
15	32,768	~2,080 ms (~2 s)	~0.5	~656	⚠️ May impact UX

Fuente: OWASP Password Storage Cheat Sheet (2025-2026). Referencia base: 65 ms/hash a cost=10 en un core x86 moderno (AMD EPYC / Intel Xeon, 2024-2026); cada +1 en cost duplica el tiempo. GPU limitada por el patrón de acceso a memoria de bcrypt (~4 KB por hash). Siempre realizar benchmark en hardware de producción.

How it works

How It's Calculated

bcrypt's cost factor is a base-2 exponent applied to the number of key-schedule iterations inside the Blowfish cipher. The wall-clock time scales exponentially:

Time(cost) = T_ref × 2^(cost − cost_ref)

Where:
  T_ref     = measured time at a known reference cost on your hardware
  cost_ref  = the reference cost factor used to establish T_ref
  cost      = the target cost factor you want to evaluate

Reference used by this calculator (modern single CPU core):
  T_ref = 65 ms  at  cost_ref = 10
  Time(12) = 65 × 2^(12−10) = 65 × 4  = 260 ms
  Time(14) = 65 × 2^(14−10) = 65 × 16 = 1,040 ms ≈ 1 s

Hashes per second (single core):
  hashes_per_sec = 1,000 ms / Time(cost in ms)

> Note: bcrypt is memory-hard in the sense that it needs ~4 KB of RAM per hash (the Blowfish P-array + four S-boxes), which severely limits GPU parallelism compared to pure compute-bound hashes like MD5. The 65 ms reference is a typical modern x86 core; your hardware will differ — always benchmark in production.

---

bcrypt Cost vs Time Reference Table

Values use the calculator's reference of 65 ms per hash at cost=10 on one modern CPU core, doubling for every +1. Real benchmarks (hashcat, john-the-ripper, bcrypt.js) land in this range on 2024-2026 hardware; GPU figures (NVIDIA RTX 4090) are approximate and limited by bcrypt's memory access pattern.

Cost	Rounds (2^cost)	Time/hash (1 CPU core)	CPU hashes/s	GPU hashes/s (RTX 4090, approx)	Security rating (2026)
8	256	~16 ms	~62	~350,000	❌ Insecure
10	1,024	~65 ms	~15	~21,000	✅ OWASP minimum
11	2,048	~130 ms	~7.7	~10,500	✅ Good
12	4,096	~260 ms	~3.8	~5,250	✅ Recommended default
13	8,192	~520 ms	~1.9	~2,625	✅ Strong
14	16,384	~1,040 ms (~1 s)	~1.0	~1,312	✅ Very strong
15	32,768	~2,080 ms (~2 s)	~0.5	~656	⚠️ May impact UX

> Each row is exactly double the row above. GPU figures assume bcrypt's memory access pattern limits parallelism; actual throughput varies by driver and implementation.

---

Typical Examples

Example 1 — Startup web app (cost=12)
A Node.js API uses bcrypt.hash(password, 12). On a 2-core VPS:

Time per hash ≈ 260 ms → ~3.8 hashes/s per core → ~7.6 hashes/s total.

Peak login load = 3 requests/s → within capacity, minimal queue buildup.

An attacker with an RTX 4090 cracking offline does a few thousand bcrypt/s at cost=12. An 8-char random alphanumeric password (62^8 ≈ 2.18 × 10¹⁴ combinations) takes decades to exhaust at that rate.

Example 2 — Legacy app rehash migration (cost=8 → cost=12)
An e-commerce platform has 500,000 user records hashed at cost=8. Rehashing all at cost=12:

Time per hash ≈ 260 ms × 500,000 = 130,000 s ≈ 36 hours on a single CPU core (≈4.5 hours across 8 cores).

Better solution: rehash opportunistically on successful login, completing migration passively over weeks without a maintenance window.

Example 3 — High-traffic API (cost=14 vs 13)
A financial services app wants cost=14 (~1,040 ms). With 8 CPU cores dedicated to auth:

Throughput = 8 × (1 / 1.04 s) ≈ 7.7 hashes/s. At peak 10 logins/s, a queue forms.

Decision: drop to cost=13 (~520 ms) → ≈15 hashes/s, comfortable headroom at 10 logins/s.

---

Common Mistakes

1. Confusing cost with the number of rounds directly. The cost factor is an exponent: cost=12 means 2¹² = 4,096 rounds, NOT 12 rounds. Bumping cost from 12 to 13 doesn't add one round — it doubles the total work.

2. Treating a fixed ms number as universal. bcrypt timing depends entirely on hardware. ~65 ms at cost=10 is a reasonable modern reference, but a fast desktop CPU might do half that and a burstable cloud VM 3-4× more. Always benchmark in production.

3. Benchmarking on a dev laptop and deploying to production. A MacBook M3 may hash cost=12 in ~80 ms; a cloud t3.micro (burstable CPU) might take 600-900 ms under sustained load when CPU credits exhaust.

4. Ignoring the 72-byte password limit. bcrypt silently truncates input at 72 bytes. A 100-character passphrase is effectively hashed at 72 bytes. Pre-hash with SHA-512 (carefully) or switch to Argon2id if you need full-length support.

5. Never re-evaluating the cost factor. OWASP recommends raising cost as hardware improves. A cost set in 2016 may be inadequate today. Implement a version check in your auth flow to rehash on login when the stored cost is below your current minimum.

---

Related Calculators

SHA-256 Hash Speed Estimator

Argon2 Memory & Time Cost Calculator

Brute-Force Time Estimator

Worked example — cost = 12

Reference: ~65 ms per hash at cost = 10 on a modern CPU core

Time(12) = 65 ms × 2^(12 − 10) = 65 × 4 = 260 ms

Hashes/sec = 1,000 ms ÷ 260 ms ≈ 3.8 hashes/sec per core

≈ 260 ms per hash · ≈ 3.8 hashes/sec per core

Frequently asked questions

What bcrypt cost factor should I use in 2026?

OWASP's 2025-2026 Password Storage Cheat Sheet sets the recommended minimum at cost=10, and cost=12 is the common production default for new deployments because it lands around 250-260 ms per hash on a modern CPU core — slow enough to deter offline cracking, fast enough for interactive logins. Use cost=13 (~520 ms) or cost=14 (~1 s) when you have a larger latency budget (CLI tools, password managers, low-traffic admin logins). Stay at or above cost=10 for any user-facing login; cost=8 and below (~16 ms or faster) is considered insufficient against modern GPU cracking.

How much does increasing the bcrypt cost by 1 change the hashing time?

Each increment of 1 in the cost factor exactly doubles the hashing time, because the round count is 2^cost, not a linear count. Using a ~65 ms reference at cost=10: cost=11 ≈ 130 ms, cost=12 ≈ 260 ms, cost=13 ≈ 520 ms, cost=14 ≈ 1,040 ms. This exponential doubling applies equally to defenders and attackers — every +1 halves the attacker's brute-force throughput on the same hardware. That balance is exactly what keeps bcrypt relevant: as hardware speeds up, you raise the cost by 1 to restore the original difficulty.

How long does bcrypt take per hash at cost=12?

On a modern single CPU core, cost=12 takes roughly 250-260 ms per hash, which works out to about 3.8 hashes per second per core. This matches OWASP's rule of thumb that cost=12 sits in the few-hundred-millisecond range. The exact number depends on your CPU: a fast desktop core may do ~150 ms, while a burstable cloud VM under sustained load may take 600-900 ms once CPU credits are exhausted. Always measure cost=12 on your own production hardware before committing — the figure here is a reference, not a guarantee.

Why can't GPUs crack bcrypt as fast as they crack MD5 or SHA-256?

bcrypt's Blowfish key schedule requires approximately 4 KB of working memory per hash (the 18-element P-array plus four 256-element S-boxes of 32-bit words, all read and written every round). GPU cores have very limited fast cache per thread, so parallelizing bcrypt across thousands of GPU threads causes heavy memory-bandwidth contention and serialization, killing throughput. An NVIDIA RTX 4090 does roughly 164 billion MD5 hashes per second but only a few thousand to ~21,000 bcrypt hashes per second depending on cost factor — a slowdown of millions of times. This memory-hardness is by deliberate design and is what makes bcrypt resilient against commodity GPU attackers.

What is the 72-byte truncation limit in bcrypt and how does it affect security?

The original bcrypt specification (Provos & Mazières, 1999) processes only the first 72 bytes of the password input; any byte beyond position 72 is silently ignored. So two passwords sharing the same first 72 bytes produce identical hashes. For typical passwords under 30 characters this is irrelevant, but it matters for long passphrases or systems that allow arbitrary-length input without warning. Workarounds: (1) pre-hash with SHA-512 before bcrypt to compress to 64 bytes (the Dropbox approach), watching for null bytes in the output; (2) switch to Argon2id, which has no truncation limit; or (3) enforce a 72-byte maximum in your registration UI.

How do I migrate a database from cost=10 to cost=12 without disrupting users?

Use opportunistic rehashing on login. When a user authenticates successfully: (1) verify the password against the stored hash regardless of its cost; (2) read the stored cost — it's encoded in the hash (the $2b$10$... prefix means cost=10); (3) if it's below your current minimum, rehash the plaintext (which you hold momentarily during auth) at the new cost and update the DB record atomically. No bulk migration or downtime is needed — the upgrade happens passively as users log in over days or weeks. Inactive accounts stay at the old cost until their next login, which is acceptable since they face lower attack pressure.

Should I use bcrypt, Argon2id, or scrypt in 2026?

OWASP's 2025-2026 ranking puts Argon2id first, then scrypt, then bcrypt. Argon2id (winner of the 2015 Password Hashing Competition) is memory-hard with tunable memory AND time parameters (≈19 MiB and 2 iterations is a common 2026 baseline), has no 72-byte limit, and resists GPU/ASIC attacks better. scrypt (2009) is also memory-hard and well-vetted. bcrypt is the oldest of the three and slightly weaker against GPUs, but is universally supported across every major language, has 25+ years of cryptanalysis with no practical breaks, and is a pragmatic choice when Argon2id libraries are unavailable. Never use MD5, SHA-1, plain SHA-256/512, or unsalted hashes for passwords.

How does bcrypt prevent rainbow-table attacks?

bcrypt incorporates a cryptographic salt: a 128-bit random value generated per password at hashing time and stored in the standard output format ($2b$cost$22-char-salt$31-char-hash). The salt feeds into the Blowfish key schedule, so two identical passwords produce completely different hashes. A rainbow table precomputes hash→password mappings for a fixed function, but a unique 128-bit salt invalidates any precomputed table — an attacker would need a separate table for every possible salt (2^128 ≈ 3.4 × 10^38), which is infeasible by many orders of magnitude. Salts force attackers into per-account brute-force, which is exactly where bcrypt's slowness does its job.

What CPU/server specs should I benchmark bcrypt on before choosing a production cost?

Always benchmark on production hardware under expected load, not a dev laptop. Key variables: CPU architecture (ARM vs x86, server- vs consumer-grade), sustained clock speed (Turbo Boost won't engage under high-concurrency hashing), cores dedicated to auth (not contended by app threads), and whether the VM is burstable (AWS t-series CPU credits exhaust under sustained load, dropping you to baseline). A useful heuristic: pick the highest cost where time per hash stays under ~300 ms on production hardware at peak concurrency. On most 2-4 vCPU cloud VMs (AWS c-series, GCP n2, Azure D-series), cost=12 lands around 200-300 ms. On ARM (Graviton, Ampere), expect 2-3× slower than x86 at the same cost.

What does a bcrypt hash look like and how do I read the cost from it?

A bcrypt hash is a 60-character ASCII string like $2b$12$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy. Decoded: $2b$ (also $2a$ , $2y$ ) is the version identifier (2b is the current canonical variant since 2014); 12$ is the cost factor (here cost=12, a two-digit decimal); the next 22 characters are the base64-encoded 128-bit salt; the final 31 characters are the base64-encoded hash output. To read the cost in code, parse the two digits before the second $. Library helpers — bcrypt.getRounds() in Node.js, passlib.identify()/bcrypt__ident in Python, password_get_info() in PHP — do this for you.

Is bcrypt vulnerable to timing attacks?

The hashing itself is not significantly vulnerable, because the computation time depends only on the cost factor (chosen by you) and not on the password content — bcrypt's Blowfish key schedule does the same work regardless of input. The comparison step is what matters: when verifying a login by comparing the computed hash against the stored hash, use a constant-time comparison (crypto.timingSafeEqual() in Node.js, secrets.compare_digest() in Python, hash_equals() in PHP), never a plain == or strcmp that short-circuits on the first differing byte. Most maintained bcrypt libraries compare in constant time internally, but custom verification logic is a common pitfall. Also avoid leaking bcrypt latency on unauthenticated endpoints — return consistent response times.

Can I use bcrypt for API keys or session tokens instead of passwords?

Generally no. Don't use bcrypt (or any password-hashing function) for API keys, session tokens, OAuth tokens, or other random secrets. Password hashers are slow on purpose to defend low-entropy human passwords against brute-force. API keys and tokens are typically high-entropy random bytes (e.g., 256-bit) where brute-force is already infeasible against any decent hash. For those, a fast cryptographic hash like SHA-256 or HMAC-SHA-256 (with a server-side key) is appropriate and orders of magnitude faster. Reserve bcrypt and Argon2id specifically for user-chosen passwords.

Sources & references

Methodology & trust

Editorial

Calculadora de tecnología revisada por el equipo editorial de Hacé Cuentas, contrastada con OWASP Password Storage Cheat Sheet – bcrypt recommendations, según nuestra política editorial y metodología.

Updates

Última revisión: June 20, 2026. Los parámetros se verifican periódicamente con las fuentes citadas.

Privacy

Calculations run 100% in your browser. We do not store or transmit your data.

Limitations

Indicative results. For critical decisions, consult a professional.

📌 How to cite this calculator

Rodríguez, M. (2026). bcrypt Cost Factor: Time per Hash & Cracking Resistance. Hacé Cuentas. https://hacecuentas.com/hashes-bcrypt-costo-tiempo-cracking

Contenido bajo licencia CC-BY 4.0 — reutilizable citando la fuente con enlace a Hacé Cuentas.

✉️ Reportar un error en esta calculadora