Higher cost = more secure but slower. 10–12 recommended for production.
Bcrypt is a password hashing algorithm designed to be slow and computationally expensive, making brute-force attacks impractical. It is the most widely recommended algorithm for storing passwords.
The cost factor determines how many iterations (2^n) are used to compute the hash. Cost 10 means 1,024 iterations, cost 12 means 4,096. Higher cost = slower hashing = harder to brute-force, but also slower for legitimate logins.
No. Bcrypt is a one-way hash — it is computationally infeasible to reverse. You can only verify a password by hashing it with the same salt and comparing the result.
Bcrypt automatically generates a random 22-character salt and embeds it in the hash output. This means the same password produces a different hash each time, preventing rainbow table attacks.