Generate bcrypt password hashes and verify passwords against existing hashes. Your password never leaves the browser.
| Cost | Iterations | Approx time | Use case |
|---|---|---|---|
| 8 | 256 | ~1ms | Testing/development only |
| 10 | 1,024 | ~100ms | Minimum for production |
| 12 | 4,096 | ~400ms | Recommended REC |
| 14 | 16,384 | ~1.5s | High-security accounts |
| 16 | 65,536 | ~6s | Maximum practical security |
OWASP recommends a minimum cost factor of 10, targeting ≥1 second on your server hardware. Increase the cost factor as servers get faster.
AquilaX detects MD5/SHA1 password hashing, missing salts, hardcoded credentials, and insecure password storage patterns across your entire codebase.