When should I rehash passwords with a higher cost?
When hardware gets faster (your current cost feels too fast) or when you migrate algorithms. On next login, verify the old hash, then rehash with the new cost and save. Bcrypt stores the cost in the hash, so you can detect old hashes.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in bcrypt Salt Rounds Explained: How to Choose
10 for most apps (~100ms per hash). 12 for high-security apps (~400ms). 14+ is too slow for most apps. Each increment doubles the work, so the cost rises fast.
bcrypt.hash(password, N) runs the hash function 2^N times. N=10 means 1024 iterations. N=12 means 4096 iterations. Each increment doubles the work and the time.
On a modern CPU: N=8 about 25ms, N=10 about 100ms, N=12 about 400ms, N=14 about 1.6s. Pick the value that balances security and UX for your app.
Still have questions?
Browse all our FAQs or reach out to our support team
