While working on the new web API for Owl Platform, I had some trouble finding the right parameters for bcrypt. It’s a great library/algorithm for password encryption, but I couldn’t figure out what the right log factor was. The default value of 10 was described in plenty of articles, but I had no idea what was right for 2013. Here’s what I found. On my Intel i5 M460 (2.5 GHz), it took around 440 milliseconds to hash/verify a password using a log factor of 12. This seems entirely reasonable to me. I hope that on better hardware it will still take at least 5-10 milliseconds, slowing down attackers.
Ben and I got into a big tirade about what was really secure and what crypto strength meant and everything, but in the end I think a log factor of 12 is sensible. I may bump it up to 13 before we go live, if the hardware keeps the hash under 200 ms.