I’ve read some articles saying you should set the cost to be at least 16 (216), yet others say 8 or so is fine.
Is there any official standard for how high the cost should be set to?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve read some articles saying you should set the cost to be at least 16 (216), yet others say 8 or so is fine.
Is there any official standard for how high the cost should be set to?
The cost you should use depends on how fast your hardware (and implementation) is.
Generally speaking a cost of 8 or 10 is fine — there isn’t any noticable delay. It’s still a huge level of protection and far better than any home-grown solution using SHAs and salts. Once you upgrade your hardware you could increase the cost to 16. I would say that 16 is a little high at this time, and will probably result in noticeable (and annoying) delays. But if 16 works for you, by all means go for it!