Hash Iterations Calculator
Enter your server speed (hashes/second) and target hash time to get recommended iteration counts for bcrypt, PBKDF2, and Argon2.
Algorithm Settings
Measure on your server. Default 100 h/s ≈ a modern CPU core.
Recommended Setting
Click Calculate to see recommendations
Cost Factor
—
Actual Hash Time
—
milliseconds on your hardware
Memory
—
Iterations
—
Parallelism
1
Example (PHP)
Security Analysis
Run the calculator to see attacker effort estimates.
Attacker speed (GPU farm)
—
Guesses/day (attacker)
—
Brute-force resistance
—
Cost vs. Time (Reference)
| Cost | Est. Time (ms) | Attacker guesses/day | Verdict |
|---|---|---|---|
| Run the calculator to populate this table. | |||
Summary
Enter your server speed (hashes/second) and target hash time to get recommended iteration counts for bcrypt, PBKDF2, and Argon2.
How it works
- Select your password hashing algorithm (bcrypt, PBKDF2, or Argon2).
- Enter your server benchmark speed (hashes per second at the current cost).
- Set your target hash time — 200–500 ms is the recommended range for login.
- The calculator outputs the recommended cost factor, iteration count, or memory parameters.
- Review the security analysis to understand attack resistance at the recommended setting.
- Adjust target time up for admin accounts or down for high-traffic APIs.
Use cases
- Tune bcrypt cost for a new application before launch.
- Upgrade PBKDF2 iterations as hardware gets faster over time.
- Compare Argon2id memory vs time trade-offs for your deployment.
- Estimate how long an attacker would need to brute-force a password.
- Set per-role iteration counts (admin vs regular user).
- Document password hashing compliance for security audits.
Frequently Asked Questions
Last updated: 2026-07-08 ·
Reviewed by Nham Vu