Glossary
Work Factor (Cost Factor)
A work factor is a tunable parameter that sets how expensive a password hash is to compute, letting defenders raise the cost as hardware gets faster.
A work factor (or cost factor) is a parameter that deliberately makes a password hash slow, so each brute-force guess costs an attacker real time and resources. Crucially, it is tunable: as hardware gets faster, defenders raise the work factor to keep cracking expensive.
It appears in every serious password key derivation function:
- bcrypt — a logarithmic
cost; each increment doubles the work (2^costiterations). - Argon2 — separate memory (
m), time (t), and parallelism (p) parameters. - PBKDF2 and scrypt — iteration counts, plus memory cost for scrypt.
Because the parameters are stored in the hash string, applications can detect outdated ones and rehash on next login. A high work factor only protects passwords when paired with a unique salt — see password hashing done right, or experiment with cost in the generator.