Automatically calculate salt rounds for bcrypt.
January 4, 2024
Have you ever asked yourself, "How many rounds of salt should I use for bcrypt?" Well, I have, and I've found the answer.
The real answer is that it depends. The number of salt rounds affects how long it takes to hash a password. The more rounds you use, the more secure the hash, but also the longer it takes for a user to log in.
Ideally, you want to determine the maximum amount of time you're willing to wait for a password to be hashed and use that as your benchmark. This will vary depending on the hardware you're using. For example, a Raspberry Pi will require fewer rounds of salt than a 64-core server to achieve the same wait time.
To address this issue, I created bcrypt-salt. This tool calculates the number of salt rounds to use for bcrypt based on the maximum time you're willing to wait for a password hash. Simply profile the hardware you're using to find the number of salt rounds that results in a hash time at or below your desired threshold, which defaults to 500ms.
I hope you find this tool useful. If you have any questions or comments, please file an issue. Thanks for reading!