Hash Iterations Calculator

Enter your server speed (hashes/second) and target hash time to get recommended iteration counts for bcrypt, PBKDF2, and Argon2.

Algorithm Settings

Measure on your server. Default 100 h/s ≈ a modern CPU core.

Recommended Setting

Click Calculate to see recommendations

Security Analysis

Run the calculator to see attacker effort estimates.

Cost vs. Time (Reference)

Cost Est. Time (ms) Attacker guesses/day Verdict
Run the calculator to populate this table.

Summary

Enter your server speed (hashes/second) and target hash time to get recommended iteration counts for bcrypt, PBKDF2, and Argon2.

How it works

  1. Select your password hashing algorithm (bcrypt, PBKDF2, or Argon2).
  2. Enter your server benchmark speed (hashes per second at the current cost).
  3. Set your target hash time — 200–500 ms is the recommended range for login.
  4. The calculator outputs the recommended cost factor, iteration count, or memory parameters.
  5. Review the security analysis to understand attack resistance at the recommended setting.
  6. Adjust target time up for admin accounts or down for high-traffic APIs.

Use cases

  • Tune bcrypt cost for a new application before launch.
  • Upgrade PBKDF2 iterations as hardware gets faster over time.
  • Compare Argon2id memory vs time trade-offs for your deployment.
  • Estimate how long an attacker would need to brute-force a password.
  • Set per-role iteration counts (admin vs regular user).
  • Document password hashing compliance for security audits.

Frequently Asked Questions

Last updated: 2026-07-08 · Reviewed by Nham Vu