Bcrypt / argon2 cost
Pick a work factor and see how long one hash takes on a typical server — and what that means for offline cracking. Numbers are approximate, not a benchmark of your hardware.
Bcrypt cost
Cost: (each +1 doubles hash time; baseline: cost 10 ≈ 100ms)
Memory (KiB)
Iterations
Parallelism
Hash time (server CPU, one thread):
Hashes/sec (server):
Hashes/sec (GPU rig, ballpark):
Crack time estimates
Assumes offline attack on stolen hash DB, average luck (half keyspace). GPU column uses static multipliers — real attacks vary wildly.
| Password type | Server crack | GPU crack | Note |
|---|---|---|---|
Recommendation for new apps: bcrypt cost 12+ or argon2id with ≥64 MiB memory and enough iterations to land near 100–500ms per hash on your production CPUs. Always use a library — never roll your own. Top-1000 passwords fail regardless of cost; enforce strong passwords or passkeys.
About this tool
Password hashing is deliberately slow. Bcrypt's cost factor doubles work each step; argon2id adds memory hardness so GPUs gain less advantage. This calculator uses static baselines (bcrypt cost 10 ≈ 100ms on a typical server) — measure on your own hardware before picking production values.