Hash passwords with bcrypt and verify plaintext against bcrypt hashes with configurable salt rounds
Higher rounds = more secure but slower. 10 is recommended for most use cases.
Bcrypt is a password hashing function designed to be computationally expensive to resist brute-force attacks. It automatically generates a salt and incorporates it into the hash output.
The salt rounds parameter (also called cost factor) determines how many iterations the hashing algorithm performs. Each increment doubles the computation time, making it exponentially harder to crack.
A bcrypt hash follows the format: $2b$[cost]$[22 char salt][31 char hash]. The algorithm version, cost factor, and salt are all embedded in the output, making verification straightforward.
Use a minimum of 10 salt rounds for production systems. Never store plaintext passwords. Bcrypt is preferred over MD5 or SHA for password storage because it is intentionally slow and resistant to GPU-based attacks.