Podcast
Get Unstuck
If you look in a default Laravel 12 application, BCRYPT_ROUNDS is set to 12 in the .env.example file, but it's overridden to 4 in the phpunit.xml file, which is used when tests run.
Why the difference?
That "cost factor" is a measure of how long it takes to hash a password. The higher the number, the longer it takes to hash. This is important for security, but in testing, we want our tests to run quickly.
In production, 12 rounds is a good default based on the current speed of computers. In the future, as computers get faster, that default number will likely increase to compensate.
But in testing, we don't care how secure a hash is. We drop that number to 4 to speed up the tests. There is no security tradeoff here.
But then the next question might be: Why not drop it even further? Why not set it to 1 or even 0? Wouldn't our tests be even faster still?
Laravel's Hash facade uses the password_hash function under the hood, which is a wrapper around the crypt function.
The crypt function requires at least 4 rounds to work properly.
You can see in the crypt docs for Blowfish (that's the B in Bcrypt), that the acceptable range is between 4 and 31.
If you set it to 1 or 0, it will throw an error Invalid bcrypt cost parameter specified.
As a side note, if you ever bump into this in application code, the error emitted by crypt might get swallowed by the framework, and you'd get a more generic Bcrypt hashing is not supported error instead.
Here to help,
Joel
P.S. When you run into weird errors in your app, and you're not sure what's causing them, having a trusted community of helpful Laravel devs is a great way to get help.