Examples
$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5NU7eBh6pTMG. (complete hash)Cost factor 10 → ~65ms | Cost 12 → ~250ms | Cost 14 → ~1000msbcrypt('password123', 12) → different every time due to random salt
FAQ
Why does bcrypt generate different hashes for the same password?
Because each hash includes a unique random salt. This prevents rainbow tables and ensures two users with the same password have different hashes. Verification works because the salt is included in the hash.
What cost factor should I use in bcrypt?
In 2024, the recommended is 12-14. Cost 12 takes ~250ms, acceptable for login but expensive for attackers. Increase the cost every 2-3 years to compensate for faster hardware.
Can I migrate from MD5 to bcrypt without resetting passwords?
Yes. A common strategy is bcrypt(existing_md5_hash) for existing users, and bcrypt(password) on next login. This avoids forcing a mass password reset.