Bcrypt Salt

Automatically calculate salt rounds for bcrypt.

January 4, 2024

Have you ever asked yourself, "How many rounds of salt should I use for bcrypt?" Well, I have, and I've found the answer.

The Answer

The real answer is that it depends. The number of salt rounds affects how long it takes to hash a password. The more rounds you use, the more secure the hash, but also the longer it takes for a user to log in.

Ideally, you want to determine the maximum amount of time you're willing to wait for a password to be hashed and use that as your benchmark. This will vary depending on the hardware you're using. For example, a Raspberry Pi will require fewer rounds of salt than a 64-core server to achieve the same wait time.

To address this issue, I created bcrypt-salt. This tool calculates the number of salt rounds to use for bcrypt based on the maximum time you're willing to wait for a password hash. Simply profile the hardware you're using to find the number of salt rounds that results in a hash time at or below your desired threshold, which defaults to 500ms.

Conclusion

I hope you find this tool useful. If you have any questions or comments, please file an issue. Thanks for reading!