Facebook Pixel

When should I rehash passwords with a higher cost?

When hardware gets faster (your current cost feels too fast) or when you migrate algorithms. On next login, verify the old hash, then rehash with the new cost and save. Bcrypt stores the cost in the hash, so you can detect old hashes.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in bcrypt Salt Rounds Explained: How to Choose

10 for most apps (~100ms per hash). 12 for high-security apps (~400ms). 14+ is too slow for most apps. Each increment doubles the work, so the cost rises fast.

bcrypt.hash(password, N) runs the hash function 2^N times. N=10 means 1024 iterations. N=12 means 4096 iterations. Each increment doubles the work and the time.

On a modern CPU: N=8 about 25ms, N=10 about 100ms, N=12 about 400ms, N=14 about 1.6s. Pick the value that balances security and UX for your app.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.