Bcrypt - How many iterations/cost?

Question

I've read some articles saying you should set the cost to be at least 16 (2¹⁶), yet others say 8 or so is fine.

Is there any official standard for how high the cost should be set to?

Set it so that your users just don't rebel because login takes too long. — Paŭlo Ebermann
– Paŭlo Ebermann, Commented Oct 1, 2011 at 23:29
here was already got explained ancwers security.stackexchange.com/questions/17207/… cheers ! — Vladimir Ch
– Vladimir Ch, Commented Nov 2, 2016 at 4:45

Joost Baaij · Accepted Answer · 2011-10-01 21:37:49Z

10

The cost you should use depends on how fast your hardware (and implementation) is.

Generally speaking a cost of 8 or 10 is fine -- there isn't any noticable delay. It's still a huge level of protection and far better than any home-grown solution using SHAs and salts. Once you upgrade your hardware you could increase the cost to 16. I would say that 16 is a little high at this time, and will probably result in noticeable (and annoying) delays. But if 16 works for you, by all means go for it!

answered Oct 1, 2011 at 21:37

Joost Baaij

7,6183 gold badges34 silver badges34 bronze badges

Sign up to request clarification or add additional context in comments.

5 Comments

Obto Over a year ago

Thanks for the confirmation/clarification that a cost of 8 is safe. Never want to take any chances with stuff like this haha

erickson Over a year ago

8 or 10 is nowhere close to enough. 12 or 13 maybe.

Joost Baaij Over a year ago

erickson - can you substantiate your claim? (and your downvote)

user6765872 Over a year ago

I tried 15 rounds and my server started freezing for about 7 seconds while hashing, should I stay at 10?

Joost Baaij Over a year ago

If you think 7 seconds is too long, then you should stay at 10.

Thomas Pornin · Accepted Answer · 2011-10-02 14:09:57Z

You must set the number of iterations at the maximum value which is still "tolerable" depending on the hardware you use and the patience of the users. Higher is better.

The whole point of the iteration count is to make the password processing slow -- that is, to make it slow for the attacker who "tries" potential passwords. The slower the better. Unfortunately, raising the iteration count makes it slow for you too...

As a rule of thumb, consider that an attacker will break passwords by trying, on average, about 10 millions (10⁷) of potential passwords. If you set the iteration count so that password hashing takes 1 second for you, and you consider that the attacker can muster ten times more computing power than you, then it will take him 10⁷*1/10 seconds, i.e. about 12 days. If you set the iteration count so that password hashing takes only 0.01 second on your PC, then the attacker is done in three hours.

tereško · Accepted Answer · 2012-10-09 21:04:44Z

The cost should depend on your hardware.

You should test your cost settings and aim for the 100 .. 500 ms interval. Of course, if you are working with highly sensitive information, the time could be 1000 ms or even more.

Collectives™ on Stack Overflow

Bcrypt - How many iterations/cost?

3 Answers 3

5 Comments

Comments

Comments

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

5 Comments

Comments

Comments

Related